In this guide we will see some techniques used to crack a password.

How to crack a Password?

First we explain how passwords are saved.

When a site or program stores your password, such as Google or Facebook etc. the password is usually stored as a hash.

A hash is a safe way of storing passwords on mathematical bases.

A hash is also a way to encrypt a password, if you know the logic you can easily decrypt it.

Below are the types of attacks used:

Offline Attack

It foresees that the attacker will take the password hash, save it and in the following days offline decrypts the password.

Online Attack

The processing process is completely online.

Making online attacks to a serious site, becomes very difficult. Most likely after 3-4 attempts your IP will be banned and the game will be over.

You may also have forgotten your account password, after some attempt everything freezes.

This technique was actually created to protect users from attackers who try millions of times to discover a password.

To carry out an online attack, the attacker will probably have done a detailed analysis of the unfortunate first, collecting a lot of information, such as, children’s names, birthday dates, Past addresses etc…

From there, the attacker will build a password database specific to that user, trying a set of passwords that have a much higher probability of success than random attempts.

Offline attacks are much more threatening and take place when an encrypted file, such as a pdf or document, is intercepted or when a hashed key is transferred.

If you copy an encrypted file or a hashed password, an attacker can take the key home and crack it whenever he wants.

You have to be very patient and try thousands, millions, billions of passwords before you find the right one.

Of course, there are techniques that help us, such as:

Dictionary Attack

Attacks with dictionary “dictionary attack”, are attacks that use a file containing passwords.

Usually attackers build their own dictionaries, (they can be found ready even on the internet, such as the famous rockyou.txt).

These are huge text files that contain millions of generic passwords, such as (iloveyou, 12345, admin or 123456789 etc.).

Characteristic of an Attack

In case the password cannot be found, the alternative that will be used is to use some general rule to try out a series of combinations with specific features.

This means that instead of trying a password list, an attacker will specify a list of features to try.

To give an example, if I knew that your password is made up exclusively of numbers, I would tell the tool to try password numbers only.

The tool would try every combination of numbers until it found the right one.

We can also specify a number of additional settings, such as minimum and maximum length etc.

This significantly simplifies the amount of work the tool has to do.

So let’s say that your password is 8 characters composed exclusively of numbers.

My graphics card would take about 200 seconds to crack this password.

If the password included letters and numbers, the same password would take two days to decode.

Attack Brute Force

If the attacker has not been successful with these two methods, he can always use brute force to get what he wants, that is to try every possible combination of characters to get to the password.

Generally this type of attack is impractical because any combination with more than ten characters would take years to be discovered!

Attack Social’s Engineering

Another technique used more and more in recent years to discover passwords without wasting much time, is phishing.

The attacker using tools with Kali Linux, deceives the victim to enter his credentials.

There are also many sites that allow us to crack an online hash, let’s see a practical example:

Let’s say we found the hash


we go to the HashKiller website, glue the hash found and select the green color button.

If all went well here is the result, the password was 123456.


As we have seen, cracking a password is not as difficult as you might think.

In theory you simply try millions of passwords/techniques before you get to the exact one.

However, it is important to remember that finding this needle in the haystack is sometimes really impossible.

Your best salvation will be to have a long and possibly unique password, not reused on other services to avoid getting your password cracked as we have seen in this article.

N.B.: I do not assume any responsibility for the use you make of the guide, as it is written for didactic and formative use.

Read also:

Was this article helpful to you? Help this site to keep the various expenses with a donation to your liking by clicking on this link. Thank you!

Follow us also on Telegram by clicking on this link to stay updated on the latest articles and news about the site.

If you want to ask questions or talk about technology you can join our Telegram group by clicking on this link.

© - It is forbidden to reproduce the content of this article.