Password cracking!

“Password” is the simplest and easiest way to authenticate a user. It is also one of the most easily understood ways to authenticate a user. Recall, that authentication is the process of uniquely identifying a user and making sure that “they are who they are”. The username and password combination is the defacto method of identifying a user in all websites.

Cracking those passwords is the dream job of yet another professional – the “hacker”. Whether it was Yahoo, US office of Personnel Management or Ashley Madison, data breaches and stolen passwords make headlines all the time. Secure password policies, the common password hacking software and the different methods of hacking passwords forms the basis of this post.

Most common passwords:

According to the HuffingtonPost, the most common passwords for 2016, are as follows:

  • 123456
  • 123456789
  • qwerty
  • 12345678
  • 111111
  • 1234567890
  • 1234567
  • password
  • 123123
  • 98765432

We can see that “123456” was the most common password accounting for nearly 17% of the 10 million of passwords analyzed.  (

Password policy:

While most of us suffer from “password fatigue” and commit the error of using simple passwords like the ones mentioned in the above list, it is but necessary to use strong passwords that cannot be cracked. According to the SANS institute, some of the best practices for creating a good password can be listed as follows: A good password should:

a. contain 8-12 alphanumeric characters

b. contain both upper case and lower case letters

c. contain special characters(examples: @!#$%{})

d. contain a number


If all network administrators made it mandatory to set passwords with the above guidelines, then the time taken to hack the accounts will frustrate the hacker thus thwarting an attack.

Types of password cracking:

“Password cracking” is the illegal way to access passwords that are either stored on a system or are in transmission. There are a variety of password cracking software like John the Ripper, Cain and Abel, OphCrack, L0phtCrack, RainbowCrack and Crowbar.

a. John the Ripper:

‘John the Ripper’ is the most popular of all password cracking tools. It was originally developed for the Unix platform but now runs on various platforms such as Windows, Unix and OS X. It is not a single tool but a combination of different tools. It has a free version and a commercial version. Pen testers use the commercial version of the software to study the various password vulnerabilities. Since weak passwords are one of the top 10 security loopholes that can be used by malicious agents, it is wise to use strong passwords by following the rules stated in the previous paragraph.

b. L0phtCrack:

Released 20 years ago, ‘L0phtCrack’ is yet another popular password auditing and recovery tool for Windows and Unix platforms. The current version of ‘L0phtCrack’ is 500 times faster than the previous version. With improved speed weak passwords can be cracked in a matter of hours. According to this article from SC Magazine(UK), it was reported that passwords that took 24 hours to crack in 1998 takes only 2 hrs.  to crack now thanks be to increased speeds. “On a circa-1998 computer with a Pentium II 400 MHz CPU, the original L0phtCrack could crack a Windows NT, 8 character long alphanumeric password in 24 hours.On a 2016 gaming machine, at less hardware cost, L0phtCrack 7 can crack the same passwords stored on the latest Windows 10 in 2 hours,” (

3. Cain and Abel:

‘Çain and Abel’ is a password recovery tool for Windows platform. It performs password recovery by network sniffing by performing Dictionary attack, Brute force attack or Cryptanalysis attack.  Teachers, educators, security consultants, network administrators can use ‘Cain and Abel’ password recovery tool for ethical purposes.

Having seen the different password cracking/auditing/recovery tools – let us see the different forms of performing password attacks.

Different methods of password attack:

a. Dictionary attack:

This is one of the popular methods of cracking passwords. In this type of attack, all words in the dictionary are systematically tried against the possible password to be guessed. It might work on accounts which have simple passwords but is not effective on longer passwords or passwords having a combination of letters or having two factor authentication.

b. Brute force attack:

As the word in use, “brute force” is the type of attack where an exhaustive attack is carried against the password to be guessed. There is no logic to this type of attack, only a forceful attack to crack the password by trying all possible combinations.

We have seen the different types of password crackers, the two possible methods of performing the attack and possible ways to create a strong password and frustrate the attacker. It is but imperative that we create a strong business/persona environment by insisting on passwords that meet the policy requirements!









Jayanthi Manikandan has an undergraduate degree in Computer Science from India and a Master’s degree in Information systems with a specialization in Information security from Detroit, MI, USA.

She has been passionate about Information security and has several years of experience writing on various technical topics. Additionally, she loves to pen a few personal thoughts here as well! 🙂


  1. Thanks for giving an insight as to how to protect our information & how powerful it needs to be so as not to be an easy prey to hackers.

Leave a Reply

Your email address will not be published. Required fields are marked *