HashTools
CourseLesson 3
Lesson 3 of 7

How Attackers Actually Crack Password Databases

Not brute force — dictionary attacks, rule-based mangling, and GPU farms. Understanding the attack tells you exactly what defence looks like.

7 min read·Hands-on: Bcrypt Tool
Password Cracking — Computerphile

When people imagine password cracking, they picture an attacker methodically trying "aaaaaaa", "aaaaaab", "aaaaaac"... That's pure brute force, and attackers almost never use it. It's too slow for long passwords and too unsophisticated for the problem.

Real password cracking is a mix of psychology and compute. Attackers know how humans choose passwords, and they exploit that knowledge systematically.

Dictionary attacks

RockYou2021, a compiled wordlist, contains 8.4 billion entries. It's built from real passwords collected from past breaches. Attackers start here: hash every entry in the wordlist, compare to the target hashes. On a GPU cluster, running 8 billion hashes of SHA-256 takes seconds.

If your password is a word, a name, a phrase, or anything that appeared in a breach list in the last 15 years, it's probably in that wordlist.

Rule-based attacks

After the wordlist, attackers apply transformation rules. Common rules: capitalise the first letter, replace e with 3, replace a with @, append 1 or 123 or !, reverse the word, combine two words with a separator. Hashcat — the dominant cracking tool — ships with thousands of predefined rules and supports custom ones.

"Password1!" looks complex to a human. To a rule-based cracker, it's "password" + capitalise first + append "1!" — a two-step transformation on a dictionary word. Cracked in the first few minutes against a fast hash.

What actually stops cracking

Two things: length and a slow hash function. Not complexity. Not special characters. Length.

A random 5-word passphrase — "correct horse battery staple lamp" — has more entropy than "P@ssw0rd1!" and is immune to dictionary attacks because it's too long to precompute and random enough to not appear in any wordlist. Against SHA-256, it could still be brute-forced given enough compute. Against bcrypt at cost 12, brute-forcing it would take longer than the heat death of the universe.

bcrypt's cost parameter is multiplicative. Cost 10 is 1,024 rounds of internal hashing. Cost 12 is 4,096 rounds. Cost 14 is 16,384 rounds. Each step up doubles the time. A GPU that cracks 3 million SHA-256 passwords per second cracks around 10,000 bcrypt cost-10 hashes per second, and fewer than 2,500 at cost 12.

Try the bcrypt tool

Hash the same password at cost 10, 12, and 14. Watch the time increase with each step. That timing difference is the entire security model: slow enough to be useless to an attacker, fast enough that your users don't notice a 300ms delay on login.

The hash output includes the cost factor and salt, encoded in the output string. Every bcrypt implementation knows how to verify a hash just from the output — no separate configuration needed.

Try it yourself
Bcrypt Tool — runs entirely in your browser
Open tool →