Password Cracking

Passwords are the most widely used form of authentication and protect against unauthorized access to restricted systems. Password cracking is the process of using an application program to identify an unknown or forgotten password to a computer or network resource.

Password strength is the measure of a password’s efficiency to resist password cracking attacks. The strength of a password is determined by:

  • Length: the number of characters the password contains.
  • Complexity: does it use a combination of letters, numbers, and symbol?
  • Unpredictability: is it something that can be guessed easily by an attacker?

Password Cracking Techniques

  • Dictionary Attack: involves the use of a pre-computed wordlist. A popular wordlist is rockyou.
  • Brute Force Attack: use algorithms that combine alpha-numeric characters and symbols to come up with passwords for the attack.
  • Rainbow Table Attack: uses and compares against pre-computed hashes.
  • Guess: involves guessing popular passwords such as qwerty, password, admin, etc.
  • Spidering: collects open source information to construct wordlists.

Password Cracking Tools

  • John the Ripper: is an open source password security auditing and password recovery tool. There is also a GUI version.
  • Cain and Abel: Windows-only password recovery tool.
  • Ophcrack: cross-platform Windows password cracker that uses rainbow tables to crack passwords.

Command-line password cracking tools available on Kali Linux:

  • hydra: login cracker that supports many protocols to attack.
  • hashcat: supports five unique modes of attack for over 300 highly-optimized hashing algorithms.


The following TryHackMe rooms offer practical exercises to grasp the topics discussed above.