How Hackers Crack Passwords and What You Can Do About IT

By Collin Connors, ERMProtect IT Security Consultant

When a password is the only thing standing between hackers and data, you can count on them to capitalize on weak passwords. Let’s peek inside the mind of a hacker trying to compromise your personal or work account to better understand what strategies hackers use to break your passwords.

Common Passwords

First, the hacker will try to use the most common passwords. There are lists that compile the most frequently compromised passwords involved in data breaches. At the top of most of these lists, you will find passwords such as “111111” and “password.”  A hacker will guess each password in this list until they break into your account.

Open Source Intelligence

If you do not use any common passwords, this does not mean your passwords are not vulnerable. Hackers can guess your passwords using Open-Source Intelligence (OSINT). OSINT is any information about you that is readily available online. For example, hackers will scan your social media accounts to find information such as names, key dates, places, or hobbies that you might use in passwords. Hackers will then combine all of these pieces of data to create likely passwords. For example, a hacker might find your pet’s name is Fido and your birth year is 1990 on your social media. The hacker will then guess passwords such as “Fido1990.”

Leaked Passwords

Even if you avoid using personal details in your password, a hacker can crack it. Often people will reuse passwords across multiple sites. Hackers will search for data stolen in previous data breaches to see if your credentials have been leaked before. The hacker will then try that password on your other accounts to try to break in.

Passphrase Exploitation

Hackers also exploit accounts that use similar passphrases. For example, if you use  “PasswordNetflix” for your Netflix account and “PasswordHulu” for your Hulu account. Or “PasswordFall” for one account and “PasswordWinter” for another. Or “Password1” for one account and then “Password2” for another. Hackers know to look for these patterns and use them to break into accounts.

Brute Force

If hackers don’t succeed with these strategies, they can still “brute force” their way into an account. This means they have to guess every possible password. This technique works when users make the mistake of using short passwords and a very narrow set of characters. A hacker needs only about 1 day to crack a seven-character password that contains only numbers and lower-case letters.  This moves up to 40 days when the user includes capital letters. Increasing the number of characters in your password from 7 to 8, will force a hacker to spend almost 7 years trying to crack it.

Password Manager Exploitation

What about password managers? Can they be cracked? A password manager helps you create complex passwords and saves them. While this protects your password on most sites, it also provides a single point of failure. A hacker who cracks your password manager will be able to access all of your accounts. However, if you use a complex, long, random password to secure your password manager, a hacker may find it extraordinarily difficult to hack.

What You Can Do to Protect Passwords

You can avoid the need for a password manager by creating complex, memorable passwords. You can accomplish this by using a system such as Diceware to generate passwords. Diceware works by rolling 5 six-sided dice to generate a word. You can use the generated word to create multiple passwords that are sufficiently long. For example, you might roll the dice three times and get the words “Hunger Starship Genre.” You can then add random numbers and symbols and capital letters into the words to get something like “Hu#n2Ger StarSh!ip4 gen&54RE.” This password only requires a user to remember 3 words but is complex enough that it will take a hacker a decade to crack. More information about this system can be found here (

Another great security strategy is enabling two-factor authentication (2FA). 2FA requires you to present two different types of identification such as a password and a one-time token sent to your phone. So, even if a hacker compromises your password, he will not be able to access your account because he doesn’t have the token.

In Summary

Now that you know how hackers think - and the tactics they use to compromise passwords – let’s review:

  • If you are determined to keep hackers out, use a password of at least 11 characters consisting of numbers, letters, and symbols.
  • The password should not contain any personal information such as key dates or names.
  • The password should not be reused for other sites.
  • If you use a password manager, be sure you use a strong master password or a system such as Diceware to generate random, easy-to-remember passwords.
  • Lastly, enable two-factor authentication so even if a hacker gets lucky and guesses your password, he strikes out.

Get a curated briefing of the week's biggest cyber news every Friday.

Stop Phishing Attacks with ERMProtect's Security Awareness Training

Turn your employees into a human firewall with our innovative Security Awareness Training.

Our e-learning modules take the boring out of security training.

Intelligence and Insights

How ERMProtect Traced $1.2 Million in Alleged Crypto Scam

How ERMProtect Traced $1.2 Million in Alleged Crypto Scam

Read how ERMProtect helped NBC6 trace $1.2 million bilked from South Floridians …
Problems Found in Penetration Testing

5 Most Common Problems Found in Penetration Testing

If you pay attention to the most common digital vulnerabilities, your organizations won’t inadvertently make a hacker’s job easier …
digital forensics

What Is Digital Forensics and When Do You Need It?

Digital forensics is often a critical component of criminal cases, civil fraud cases, whistleblower complaints, internal investigations, and other matters that require analysis …