Password Cracking: 10 Tools & Techniques + Defense Strategies

Every 39 seconds, a hacker attempts to breach a system. And in 82% of data breaches, the entry point is a compromised password.

Most organizations have no idea how vulnerable their passwords really are. While you're enforcing "strong password policies," hackers are using sophisticated tools that can test billions of combinations per second.

This guide reveals the 10 techniques and 6 tools hackers actually use to crack passwords in 2025. You'll learn exactly how these attacks work and what separates a secure password from one that falls in minutes.

What is a password cracker?

A password cracker is software that recovers or bypasses passwords by systematically testing combinations, exploiting encryption weaknesses, or leveraging stolen data. Security teams use these tools to test vulnerabilities. Cybercriminals use the exact same technology to infiltrate networks and steal data.

Online vs offline password attacks

Password crackers operate through two primary attack methods, each with distinct advantages and limitations.

Online attacks target live systems directly, submitting password guesses to active login pages. They're straightforward but limited. Most systems implement lockout policies after several failed attempts, and the attacks generate obvious log entries. Network latency slows everything down since each guess requires a round-trip to the server. These attacks typically max out at 10-1,000 attempts per second.

Offline attacks are far more dangerous. Attackers first steal a password database or hash file through system vulnerabilities or data breaches. With the data in hand, they can crack passwords at maximum speed without triggering any alarms. Using CPU-based cracking, attackers test 10,000-100,000 attempts per second. With GPU acceleration, that number jumps to 10 million-100 billion attempts per second.

This speed differential is staggering. A password that would take 10 years to crack through online guessing might fall in minutes once an attacker obtains the password hash.

Understanding password hashes

Most systems don't store passwords in plain text. They store password hashes, which are outputs of one-way cryptographic functions that convert your password into a fixed-length string:

Password: "Summer2024!"
MD5 Hash: 5f4dcc3b5aa765d61d8327deb882cf99
SHA-256 Hash: 8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92

Hash functions are designed to be one-way. You can't reverse the hash back to the original password. But password crackers don't need to. They generate millions of password guesses, hash each one, and compare the results to the stolen hash. When the hashes match, they've found the password.

Hash cracker vs password cracker

While often used interchangeably, these terms have subtle distinctions. Hash crackers specifically target cryptographic hashes in offline attacks. They're optimized for scenarios where attackers have already obtained a database of hashed passwords. Tools like John the Ripper and Hashcat excel at this type of attack.

Password crackers is the broader term covering any tool designed to compromise passwords, including online attacks, password recovery, and hash cracking. For practical purposes, most modern password cracking is actually hash cracking, since responsible systems store hashed passwords rather than plain text.

See also: Password Policy Guide 2026: Best Practices + Free Template

10 most common password cracking techniques

Modern password attacks use sophisticated methods that go far beyond simple guessing. Here are the ten techniques that account for the vast majority of successful password compromises in 2025.

1. Brute force attack

A brute force attack systematically tests every possible character combination until finding the correct password. The attacker's software starts with "a" and works through "z," then "aa," "ab," "ac," and so on, testing every permutation of letters, numbers, and symbols.

The mathematics behind brute force reveal why password length matters so much. For passwords using only lowercase letters:

• 1 character = 26 possibilities
• 2 characters = 676 possibilities
• 8 characters = 208,827,064,576 possibilities

Using a modern GPU capable of 10 billion attempts per second:

• 8-character password (lowercase only): 21 seconds
• 8-character password (mixed case + numbers): 7 hours
• 12-character password (full complexity): 2,000 years

Despite being computationally expensive, brute force attacks are guaranteed to eventually find the password. They're most effective against short passwords or systems without rate limiting. In 2023, attackers used brute force to compromise over 100,000 accounts, primarily targeting 6-8 character passwords.

2. Dictionary attack

Rather than testing random combinations, dictionary attacks use lists of likely passwords based on human psychology. People choose passwords they can remember, which means they're often based on real words, personal information, or common patterns.

Attackers maintain massive databases of potential passwords. The infamous rockyou.txt file contains 14 million real passwords from a 2009 data breach and remains one of the most popular wordlists today. These databases include:

• Common dictionary words in multiple languages
• Keyboard patterns like "qwerty" and "asdf1234"
• Common substitutions like "p@ssw0rd" and "l3tm31n"
• Dates, names, and cultural references
• Passwords from previous breaches

The software hashes each entry and compares it to the target hash, making millions of educated guesses in seconds. Studies show that 30% of passwords crack with dictionary attacks alone, and over 60% when combined with basic variations like adding numbers or capitalization changes.

Dictionary attacks succeed because of widespread password reuse. When 52% of users admit to reusing passwords across multiple accounts, a single breach can cascade into multiple compromised systems.

3. Rainbow table attack

Rainbow tables are pre-computed lookup tables that dramatically speed up hash cracking by eliminating the need to calculate hashes in real-time. Instead of generating and hashing millions of passwords during an attack, attackers use massive databases where the computational work has already been done.

These tables contain millions or billions of pre-calculated password/hash pairs. For example:

When an attacker obtains a hash, they simply look it up in the table. No computation required.

Rainbow tables can be enormous. A complete rainbow table for 8-character passwords using full ASCII characters would exceed 100 terabytes, but optimized tables using chain reduction techniques compress this significantly. Free rainbow tables are available online for common hash types like MD5, SHA-1, and NTLM.

The primary defense against rainbow tables is salting. A salt is random data added to each password before hashing, meaning every user's hash is unique even if they have the same password. This forces attackers to generate new rainbow tables for each salt value, which is computationally impractical for large datasets. Modern password hashing algorithms like bcrypt, scrypt, and Argon2 incorporate salting by default.

4. Mask attack

Mask attacks represent a more targeted brute force technique that exploits known password creation patterns. Instead of testing every possible combination, attackers apply filters or "masks" to dramatically reduce the search space.

These attacks analyze recognizable patterns from previous breaches. Research shows that users often create passwords with capital letters at the beginning, numbers at the end, and special characters in predictable positions.

For example, a mask attack might specify "uppercase letter + 6 lowercase letters + 2 digits" to match passwords like "Password123" or "Welcome99." By applying these constraints, attackers can crack complex-looking passwords much faster than pure brute force. A password that would take years to crack through brute force might fall in minutes with an effective mask.

The technique is particularly dangerous when combined with information gathered about the target organization or user through social media reconnaissance.

5. Credential stuffing

Credential stuffing exploits the dangerous reality of password reuse. Attackers use compromised credentials purchased from the dark web or obtained from data breaches to log into other, unrelated user accounts.

Unlike traditional brute force attacks, credential stuffing isn't random. It relies on known username and password pairs. Since users tend to recycle the same credentials across multiple accounts, it's likely that one breached password will appear again on other apps or websites.

The scale is staggering. Akamai reported blocking 193 billion credential stuffing attacks in 2020 alone. These attacks are often automated using botnets, allowing attackers to test millions of stolen credentials across thousands of websites simultaneously.

Financial services, e-commerce platforms, and streaming services are prime targets. A credential stuffing attack might compromise a user's email, then use that access to reset passwords on banking or shopping accounts. The cascading effect of a single password reuse can lead to complete identity theft.

6. Password spraying

Password spraying flips the traditional brute force approach. Instead of trying many passwords against a single account, attackers try the same password against thousands of accounts at once. This technique helps bypass account lockout mechanisms that trigger after several failed login attempts on a single account.

Attackers typically use extremely common passwords in these campaigns. NordPass's annual research reveals that passwords like "123456," "password," and "qwerty" remain stubbornly popular. By testing these high-probability passwords across an entire organization's user base, attackers maximize their chances of finding at least one vulnerable account.

Password spraying is particularly effective against corporate environments. An attacker might obtain a list of employee email addresses through LinkedIn or company websites, then systematically test common passwords against each account. Even if only 1-2% of accounts use weak passwords, that's enough for initial access to the network.

7. Spidering

Spidering takes dictionary attacks to a highly targeted level by gathering intelligence about a specific organization. Instead of using generic wordlists, attackers build custom dictionaries based on company-specific information.

The reconnaissance phase involves:

• Scraping social media posts and web content
• Reviewing employee handbooks and product manuals
• Analyzing marketing materials and style guides
• Studying job postings for internal project names

Attackers compile this intelligence into a specialized wordlist. Instead of testing "password123," they try combinations like "CompanyName2024!" or "ProductCodeBlue" or "CEONameOffice." The success rate is significantly higher because employees often incorporate familiar company terms into their passwords.

Spidering requires more upfront effort, which is why it's typically reserved for high-value corporate targets. But a few hours of research can generate a wordlist that cracks executive accounts that would resist generic attacks.

See also: Top 10 MDM Solutions for Improving Device Security and Workforce Efficiency

8. Man-in-the-middle (MitM) attack

Man-in-the-middle attacks intercept communications between users and systems, capturing credentials as they're transmitted rather than cracking them directly.

Active MitM attacks involve session hijacking. Attackers spy on web traffic, identify active session IDs, and use the attached tokens to breach accounts. They can intercept:

• Login credentials
• Authentication tokens
• Multi-factor authentication codes (if transmitted insecurely)

Passive MitM attacks are simpler but equally effective. Attackers create fake public wifi hotspots with legitimate-sounding names like "Airport_Free_WiFi" or "Starbucks_Guest." Users who connect unknowingly give attackers full visibility into their online activities. Any credentials transmitted over unencrypted connections are captured in plain text.

The rise of HTTPS has made MitM attacks more challenging, but they remain effective in public spaces like airports, cafes, and hotels where users ignore security warnings.

9. Phishing

Phishing attacks trick users into voluntarily sharing passwords through social engineering rather than technical exploits.

How phishing works:

Attackers send persuasive messages via email or text, impersonating trusted entities like banks, IT departments, or popular services. The message creates urgency ("Your account will be suspended!") or curiosity ("You've received a secure message") to prompt immediate action.

Common phishing mechanisms:

• Fraudulent links that download malicious software
• Spoofed websites that mimic legitimate login screens
• Fake password reset requests
• Urgent security alerts claiming suspicious activity

Random phishing casts a wide net. The classic "inheritance" scam might seem obviously fake, but send a million emails and even a 0.1% success rate yields 1,000 compromised accounts.

Targeted phishing (spear phishing) is far more dangerous. Attackers research specific individuals, then craft convincing messages that reference real projects, colleagues, or systems. An email might perfectly mimic your IT department's password reset process. According to recent research, 83% of organizations experienced successful phishing attacks in 2023.

10. Malware

Malware takes the most invasive approach, stealing passwords directly from infected devices. These programs install silently through phishing emails, compromised websites, or malicious file attachments.

Three primary types target passwords:

Spyware hides on systems and secretly gathers information about internet activity, including:

• Passwords and PINs
• Payment information
• Browsing history and form data

The data transmits back to attackers in the background without noticeable performance issues.

Keyloggers record every keystroke typed into a device, making it trivial to capture usernames, passwords, credit card numbers, and private messages. Advanced keyloggers can capture screenshots when password fields are detected, defeating on-screen keyboards.

Info-stealers specifically target password storage locations:

• Browser credential stores
• Password manager databases
• Authentication tokens and session cookies
• Multi-factor authentication codes stored locally

The distribution of malware has become increasingly professional. Malware-as-a-service platforms allow even novice attackers to deploy sophisticated password-stealing tools.

6 password cracking tools hackers actually use

Security professionals and attackers use identical tools. The difference is authorization and intent, not capability. Here are the six most powerful password crackers in active use today.

1. John the Ripper

First released in 1996, John the Ripper remains the most established password cracker in the security community. It's the tool most penetration testers reach for first, and for good reason. It's free, open-source, works across all major operating systems, and automatically detects which hash algorithm you're trying to crack.

What makes John particularly effective is its methodical approach. It starts with dictionary attacks using databases of common passwords, then moves to rule-based variations that test substitutions, combinations, and transformations. The tool essentially mimics how humans create passwords, testing "password" before trying "P@ssw0rd" and "Password123."

Key capabilities:

• Automatic hash type detection for 200+ algorithms
• Command-line interface for Linux, macOS, and Windows
• Built-in wordlists and rule-based attack modes
• Free community version plus commercial "Pro" with parallel processing

Both security teams and attackers use the identical tool. The difference is authorization, not capability.

2. Hashcat

Hashcat changed the password cracking game when it launched in 2015 by harnessing GPU power. While John the Ripper tests 100,000 passwords per second on a CPU, Hashcat can test 100 billion per second using a high-end graphics card. That's not a typo. The speed difference is that dramatic.

The tool's specialty is mask attacks, where you define password patterns like "capital letter + 6 lowercase + 2 digits." If you know your target company enforces that exact pattern, Hashcat can systematically test every possible combination at GPU speed. What might take years with brute force takes minutes with the right mask.

Key capabilities:

• GPU acceleration using NVIDIA and AMD graphics cards
• Supports 300+ hash algorithms
• Multiple attack modes including mask, dictionary, and hybrid
• Distributed cracking across multiple machines

Attackers with access to cloud computing or cryptocurrency mining rigs can scale this power even further. A password that seemed secure five years ago might crack in hours today.

3. Ophcrack

Ophcrack made Windows password cracking accessible to anyone who could boot from a USB drive. It specializes in Windows password hashes using pre-computed rainbow tables, which means the hard computational work is already done. You're just looking up answers in a massive database.

The LiveCD feature is what makes it particularly dangerous. Boot any Windows machine from an Ophcrack USB drive, and it automatically extracts password hashes and begins cracking them. No need to log in first. No need to understand cryptography. The graphical interface walks you through the entire process.

Key capabilities:

• Specialized Windows LM and NTLM hash cracking
• Free rainbow tables for alphanumeric passwords up to 14 characters
• LiveCD for physical access attacks
• Point-and-click interface requiring zero technical knowledge

The good news is that modern Windows (10+) largely moved away from the vulnerable LM hash format. Ophcrack's effectiveness has declined significantly against current systems.

4. Cain and Abel

Cain and Abel is the Swiss Army knife of password cracking, but for Windows only. It doesn't just crack password hashes. It sniffs network traffic, performs man-in-the-middle attacks, recovers wireless passwords, and even records VoIP conversations. It's an all-in-one toolkit that makes sophisticated attacks accessible through a graphical interface.

What makes Cain particularly concerning is how it lowers the barrier to entry. Where tools like John the Ripper require command-line knowledge, Cain presents everything through menus and buttons. Point, click, wait. The tool democratizes attacks that once required significant technical expertise.

Key capabilities:

• Network packet sniffing to capture credentials in transit
• ARP poisoning for man-in-the-middle attacks
• Password cracking for multiple hash types
• Wireless network password recovery

The network sniffing is the real threat. Run Cain on a local network, and it passively captures passwords transmitted over FTP, HTTP, and other unencrypted protocols. Your employees could be handing over credentials without knowing it.

5. THC Hydra

Unlike the offline hash crackers above, THC Hydra attacks live systems in real-time. It's designed for online password cracking, which means it's testing credentials directly against your login pages, SSH servers, and databases. Every guess hits your actual infrastructure.

Hydra's strength is its protocol support. It works against 50+ network services, from web applications to enterprise systems. Feed it a list of usernames and passwords from previous breaches, and it systematically tests every combination. The parallel connection feature allows multiple simultaneous login attempts, turning what would take weeks into hours.

Key capabilities:

• Supports 50+ protocols including HTTP, SSH, FTP, RDP, and databases
• Parallel connections for simultaneous login attempts
• Credential stuffing and password spraying attacks
• Integration with other penetration testing tools

Security teams use Hydra to find weak credentials before attackers do. But without proper rate limiting or account lockouts, the same tool lets attackers compromise accounts at scale.

6. Aircrack-ng

Aircrack-ng targets a different attack surface entirely: your WiFi network. It's a comprehensive suite for wireless security assessment that can capture network traffic, extract authentication handshakes, and crack WiFi passwords offline. Once someone captures your WPA handshake, they don't even need to stay near your network to crack it.

WEP encryption is essentially broken. Aircrack-ng can crack WEP keys in minutes by analyzing patterns in how the encryption works. WPA2 provides much better protection, but it's still vulnerable to dictionary attacks if users choose common or weak passwords. That "company-wifi-2024" password isn't as secure as you think.

Key capabilities:

• Complete WiFi security testing suite
• WEP and WPA/WPA2-PSK encryption breaking
• Handshake capture for offline cracking
• Works with compatible wireless adapters in monitor mode

The tool requires specific hardware (wireless adapters capable of monitor mode and packet injection), which limits who can use it effectively. But compatible adapters are readily available and cheap.

See also: 7 Best Business Password Managers: A Buyer's Guide for 2026

How to protect against password crackers

Understanding attack methods is only valuable if you implement effective defenses. Here's how to protect your organization against password cracking attacks.

Enforce strong password policies

Length beats complexity every time. A 12-character password with mixed case and numbers provides more security than an 8-character password with maximum complexity requirements.

NIST guidelines recommend:

• Minimum 8 characters for user-generated passwords
• Minimum 12 characters for optimal security
• No mandatory complexity requirements that force "P@ssw0rd" patterns
• Screen passwords against breach databases
• No forced periodic password changes

Implement password strength checking at account creation. Tools like zxcvbn estimate how long a password would take to crack based on actual cracking patterns, not arbitrary complexity rules.

Implement multi-factor authentication (MFA)

MFA eliminates password-only authentication, requiring additional verification beyond what users know. Even if attackers crack a password, they can't access the account without the second factor.

Effective MFA implementations include:

• Time-based one-time passwords (TOTP) via authenticator apps
• Hardware security keys (WebAuthn/FIDO2)
• Biometric authentication on managed devices
• Push notifications to registered devices

Avoid SMS-based MFA where possible. SIM-swapping attacks bypass SMS authentication by hijacking phone numbers.

Use modern password hashing

Legacy hash functions like MD5 and SHA-1 crack in seconds. Modern algorithms are specifically designed to resist password cracking through computational slowness.

Recommended algorithms:

• Argon2: Winner of the Password Hashing Competition, memory-hard and resistant to GPU attacks
• bcrypt: Industry standard with configurable work factor
• scrypt: Memory-intensive design that resists hardware acceleration

These algorithms include salting by default and allow adjusting computational cost as hardware improves. OWASP recommends Argon2id as the first choice for password hashing in 2025.

Deploy passwordless authentication

The most effective defense is eliminating passwords entirely. Passwordless authentication removes the primary attack vector hackers target.

Modern passwordless options include:

• Passkeys: FIDO2/WebAuthn credentials stored on devices, resistant to phishing
• Magic links: One-time authentication links sent to verified email addresses
• Biometric authentication: Face ID, Touch ID, Windows Hello on managed devices
• Hardware tokens: Physical security keys like YubiKey

Passwordless authentication eliminates credential stuffing, dictionary attacks, and phishing in a single stroke. Microsoft reports 99.9% reduction in account compromise with passwordless deployment.

Monitor for credential exposure

Breached credentials appear on dark web marketplaces and paste sites within hours of major breaches. Proactive monitoring catches exposure before attackers exploit it.

Services like Have I Been Pwned provide API access for checking if email addresses or passwords appear in known breaches. Integrate these checks into:

• Account registration (reject known-breached passwords)
• Login flows (warn users about compromised credentials)
• Periodic security audits (identify at-risk accounts)

Force password resets for accounts with confirmed credential exposure. Don't wait for attackers to test stolen credentials against your systems.

Implement rate limiting and lockouts

Rate limiting slows online attacks to a crawl. Limit failed login attempts to 5-10 per account per hour. After reaching the threshold, implement progressive delays or temporary account lockouts.

Sophisticated implementations include:

• IP-based rate limiting to catch distributed attacks
• Device fingerprinting to identify bot traffic
• CAPTCHA challenges after repeated failures
• Temporary blocks that increase duration with continued attempts

Balance security with usability. Permanent lockouts after failed attempts create denial-of-service vulnerabilities where attackers lock out legitimate users.

Secure devices from day one

For organizations managing distributed workforces, device security starts before employees receive their hardware. Pre-configured security controls protect credentials from the moment a device powers on.

Mobile Device Management (MDM) ensures:

• Full disk encryption enabled by default
• Password policy enforcement at the OS level
• Automatic security updates and patches
• Remote wipe capabilities for lost or stolen devices
• Secure application distribution and management

Deel IT provides device lifecycle management across 130+ countries, with security controls built into the provisioning process. Devices ship pre-configured with encryption, authentication requirements, and security policies already in place, ensuring passwords are protected before employees ever log in.

Deel IT for password security at scale

Most organizations address password security through policies and training. Deel IT enforces protection at the device level, eliminating gaps before attackers can exploit them. By integrating password security with device provisioning, identity management, and endpoint protection, it ensures consistent controls across your entire global workforce.

How Deel IT strengthens password security:

• Enforce security from day one: Devices ship pre-configured with full disk encryption, password policies enforced at the OS level, and mandatory MFA requirements built into the hardware
• Deploy password managers globally: Roll out enterprise password managers across your fleet in minutes, with automatic installation and configuration during device provisioning
• Control access centrally: Provision and deprovision access across your entire software stack from a single dashboard, eliminating orphaned accounts when employees leave
• Protect endpoints everywhere: Deploy endpoint security solutions that guard against malware, keyloggers, and network sniffing attacks across 130+ countries
• Respond to security incidents 24/7: Global IT support handles password resets, lockouts, and security issues across time zones with SLA-backed response times

For distributed teams, password security isn't just about strong policies. It's about consistent enforcement across devices, applications, and regions. Deel IT provides the operational backbone that connects device management, identity and access controls, endpoint protection, and IT support into a unified platform.

Book a demo to see how Deel IT secures passwords and devices for global teams.