Password cracking is one of the most common steps in penetration testing and one of the most common techniques in real attacks. Understanding how it works — the mechanics, the tools, the dictionaries — is useful both for testing an organization’s password posture and for making informed choices about your own credentials.
How Passwords Are Stored (and Why It Matters)
Modern systems don’t store passwords in plaintext. They store a hash: the output of a one-way cryptographic function applied to the password. When you log in, the system hashes what you type and compares it to the stored hash. If they match, you’re authenticated.
The security of this system depends on two things: the strength of the hash function, and the strength of the password itself.
Weak hash functions — MD5, SHA-1, and unsalted SHA-256 — can be cracked at billions of hashes per second on modern GPU hardware. A single RTX 4090 can crack MD5 hashes at around 60 billion per second. This means an eight-character password using MD5 can be exhaustively brute-forced in hours.
Strong hash functions designed specifically for passwords — bcrypt, Argon2, scrypt — are intentionally slow. bcrypt with a work factor of 12 reduces crack rate to thousands per second on the same hardware. This is orders of magnitude harder to brute-force.
Salting adds a unique random value to each password before hashing, which prevents precomputed rainbow table attacks and ensures that two users with the same password get different hashes.
The takeaway: the hash function matters enormously. If you’re assessing a system that’s using MD5 or SHA-1 for passwords, that’s a critical finding regardless of password length.
The Tools
Hashcat is the standard for offline hash cracking. It runs on GPU, supports hundreds of hash types, and implements every major attack mode. If you’ve obtained a hash dump from a penetration test, Hashcat is how you crack it.
John the Ripper is the alternative — older, CPU-focused, but still used and scriptable.
Identifying hash types: Before cracking, you need to know what you’re cracking. hashid and hash-identifier are command-line tools that guess hash format from the hash string. Hashcat’s example hashes page is the authoritative reference.
Attack Modes
Dictionary attack. Hashing every word in a wordlist and comparing to the target hash. Effective because most people choose passwords from a limited vocabulary. Rockyou.txt (14 million passwords from a 2009 breach) is the standard starting wordlist.
hashcat -a 0 -m 0 hashes.txt rockyou.txt
# -a 0: dictionary attack, -m 0: MD5
Rule-based attack. Applying transformation rules to dictionary words — capitalizing the first letter, appending numbers, substituting letters for symbols. Covers the “Password1!” pattern that policies accidentally encourage.
hashcat -a 0 -m 0 hashes.txt rockyou.txt -r rules/best64.rule
Combinator attack. Concatenating words from two wordlists. Catches “correcthorsebatterystaple” style passwords built from common words.
Mask attack (targeted brute force). When you know something about the password format — “eight characters, one uppercase, one number, one symbol” — a mask attack covers that specific pattern efficiently.
hashcat -a 3 -m 0 hashes.txt ?u?l?l?l?l?l?d?s
Hybrid attack. Dictionary words combined with masks — catches “password2024!” style patterns.
What This Means for Defense
Password cracking results in penetration tests are diagnostic. The percentage of cracked hashes tells you what percentage of your user base chose weak passwords. The time to crack tells you how much breathing room you’d have after a breach.
For organizations: enforce password complexity that isn’t just “must contain a number.” The NIST current guidance is length over complexity — a 16-character passphrase is significantly harder to crack than an 8-character password meeting a typical complexity policy. Monitor for and alert on credential stuffing. Store passwords with bcrypt, Argon2, or scrypt, not MD5 or SHA-1.
For individuals: unique passwords in a password manager, long passphrases for anything that doesn’t support a manager, and 2FA on everything important are the practical answers. Understanding that your password is being measured in hash crack time rather than human memorability is the frame shift that makes these choices obvious.