Password Cracking: What Tools and Techniques Do Hackers Use?

What is password cracking?

Password cracking is the process of uncovering or bypassing passwords to gain unauthorized access to accounts or systems. Cybercriminals use methods such as brute-force attacks, which rapidly try many combinations, or dictionary attacks, which test common words and phrases. Stolen password databases can also be used to match reused credentials across multiple accounts.

Although weak, reused, or predictable passwords are especially vulnerable, these attacks are often automated, allowing hackers to test thousands or even millions of passwords in a short time. So even higher strength passwords are not immune to targeted and determined cracking attempts.

These days, most websites don’t store passwords in plain text. Instead, they turn them into fixed-length strings, or “hashes” that are hard to reverse. This adds an extra layer of password protection if the site itself is compromised. But if your password is weak or commonly used, attackers can create hashes for known passwords and compare them to stolen data. If they find a match, they can still figure out your password.

Once access is gained, attackers may steal data, commit fraud, or take control of accounts, making strong password practices and monitoring tools essential for protection.

How do hackers get passwords?

Hackers use a range of techniques to steal, guess, or reuse passwords. Common methods include brute force attacks, dictionary attacks, social engineering, and simple password guessing. In many cases, attackers also trick users into entering their credentials on fake websites through phishing scams.

Most password attacks don’t involve breaking encryption. Instead, they rely on guessing passwords or tricking users into revealing them. For example, if a password is simple or has been exposed in a data breach, it becomes much easier to crack or reuse across multiple accounts.

Advances in computing power and the rapid emergence of AI have also made some attacks faster and more efficient, in particular by improving password guessing or automating phishing campaigns.

Below, we’ll break down some of the most common password attack methods and how you can protect yourself.

Guessing passwords

Passwords should be hard to crack but easy to remember. Unfortunately, people underestimate the risks and lean too heavily toward making their passwords memorable. Some hackers can access information simply by guessing the password. In fact, “admin”, “password”, and “123456” were among the most common weak passwords in the United States in 2025.

Password managers are a secure way to store your passwords.

When creating passwords, avoid using obvious or easily discoverable information. Weak passwords are often based on personal details or simple patterns that attackers can quickly guess. Common examples include:

• Generic passwords: Words like “password” or simple variations such as passw0rdor p@ssword.

• Personal information: Birthdays, names of family members, friends, or pets.

• Location-based details: Countries or cities you’ve lived in or currently live in.

• Interests and hobbies: Sports teams, favorite activities, or other publicly shared interests.

Brute force attack

Brute force attacks systematically try every possible password combination. Attackers use automated tools that can generate millions of guesses and, in some cases, hash them to compare against stored password hashes. In principle, the technique is similar to simple password guessing, but on an automated, industrial scale.

While effective in theory, even highly sophisticated brute force attacks take time. The more complex and unique a password is, the longer it takes to crack — potentially hundreds or thousands of years with current computing power. Even when brute force techniques leverage the cumulative power of botnets, strong passwords remain a significant barrier.

However, as a recent attack on CCTV systems in an Indian hospital showed, brute force attacks can still yield results, especially against weaker passwords. In this instance, attackers used automated tools to target poorly secured systems, reportedly stealing tens of thousands of video clips over several months.

Brute force attacks differ from guessing attacks, which rely on likely password patterns. A related method, reverse brute force, starts with a common password (like “password”) and tests it across many usernames, hoping for a match.

Credential stuffing

Credential stuffing, also known as credential recycling, uses previously compromised username and password combinations to access other accounts. For example, if your password has been leaked for one account — perhaps as a result of a data breach — a hacker might try this password for other accounts and services you may have. Often, hackers buy this information on the dark web.

Hackers who utilize credential stuffing rely on their victims consistently using the same combination of usernames and passwords across multiple accounts. Using different passwords for different accounts can therefore help prevent this type of attack.

In 2024 and 2025, international jeans manufacturer Levi Strauss, American sports betting giant DraftKings, and outdoor apparel retailer The North Face were all hit by credential stuffing attacks that compromised a number of user accounts.

Dictionary attack

Dictionary attacks use large lists of common or likely passwords to try to gain access to accounts. In some cases, attackers also hash these guesses and compare them against stolen password hashes from compromised systems. Because many people use predictable words or slight variations, even passwords with minor tweaks can be uncovered through the dictionary method.

These password lists come from sources like past data breaches and publicly available databases. For example, the widely circulated rockyou.txt file, containing over 14 million real passwords, is still used today. Dictionary attacks often involve thousands of rapid login attempts. In one 2023 incident, systems in Washington County, Arkansas, blocked more than 64,000 such attempts over a single weekend.

Social engineering

Social engineering relies on manipulating people into revealing sensitive information. Attackers often use messages that create urgency or appear to come from a trusted source — such as an employer, service provider, or someone you know — to prompt quick, uncritical responses.

If you receive a message about an urgent account issue, avoid clicking links or entering credentials. Instead, go directly to the official website and check your account for legitimate notifications.

Common social engineering tactics used to gain passwords include:

• Phishing: Fraudulent emails or other phishing messages that direct you to fake websites or prompt you to enter login details.

• Vishing: Voice-based scams that use phone calls, voice messages, or other voice-based phishing methods to extract information.

• Catfishing: Catfish scammers impersonate a romantic interest to build trust and solicit money or data.

• Baiting: Offering something enticing, like free downloads or entry to a prize draw, that leads to malware infection and data theft.

Deepfakes

Deepfake attacks are an emerging form of social engineering that uses AI deepfake technology to replicate a person’s face, voice, or both. By impersonating a trusted figure, such as a colleague, family member, or authority, attackers aim to convince victims to share sensitive information or take harmful actions.

As the technology improves, these attacks are becoming more common and more convincing. In one reported case, hackers used a hijacked Telegram account of a cryptocurrency executive to arrange Zoom calls, where a deepfaked version of the individual persuaded victims to download malware that stole login credentials.

Rainbow table attack

A rainbow table attack uses precomputed lists that map password hashes to their original values, allowing attackers to crack passwords more quickly than with brute force methods. These attacks are less common today because most systems use salting, which adds randomness and makes such tables far less effective.

However, they can still pose a risk for outdated or poorly secured systems. For example, in 2026, Mandiant demonstrated how legacy Windows authentication methods could still be vulnerable by releasing rainbow tables that cracked them quickly.

Mask attack

Mask attacks start by assuming that the target password follows a common format, or “mask”, such as starting with an uppercase letter, followed by lowercase letters, numbers, and symbols. By narrowing the possibilities, attackers can test combinations far more efficiently than with a pure brute force methodology.

For instance, after analyzing patterns from past breaches, an attacker might target a mask consisting of one uppercase letter, six lowercase letters, four digits, and a symbol, which would quickly uncover passwords like “America1776+” or “Welcome1234=.”

Spidering

Spidering involves gathering publicly available information, such as company jargon, branding, or internal terminology, from sources like LinkedIn, websites, and job postings. Attackers then use these insights to guess passwords that employees are likely to choose.

For example, password formats like “WelcomeCompanyName” or “OfficeLocationCompanyName” may be tested. While research-intensive, this method can be effective because people often base passwords on obscure but familiar terms.

Shoulder surfing

Shoulder surfing is a low-tech but effective method of obtaining passwords in which an attacker physically observes you entering a password or PIN. This can happen in public places like cafes, airports, or offices, where attackers observe screens or keyboards to capture login details, PINs, or other private data without the victim realizing.

Unlike automated attacks, shoulder surfing relies on physical proximity and timing. It can be as simple as someone glancing over your shoulder or as deliberate as using cameras or binoculars to record input from a distance. Being mindful of your surroundings and shielding your screen when entering sensitive information can help reduce the risk.

Eavesdropping

Eavesdropping in a password cracking context involves a threat actor listening in on conversations to capture sensitive information, such as passwords. While less common, it can occur in public or shared spaces, making it important to be mindful of who might overhear you, either in person or through a phone tap or other compromised communication channels.

It can also extend beyond spoken conversations. Wireless devices like Bluetooth keyboards may be vulnerable to interception, allowing attackers to capture keystrokes in transit — similar to how keyloggers record input — potentially exposing login credentials.

Password spraying

Password spraying takes the opposite approach to brute force attacks. Instead of trying many passwords on one account, attackers use a single common password across many accounts — typically a widely used password like “password” or “qwerty.” This is a more stealthy attack, which helps avoid account lockouts triggered by repeated failed attempts.

Attackers typically use widely used passwords like “password” or “qwerty.” Organizations with large user bases are common targets, as even a small success rate can yield multiple compromised accounts. This was demonstrated in a large-scale password spraying attack targeting Microsoft 365 accounts in 2025.

Offline cracking

Offline cracking occurs when attackers gain access to hashed passwords — often through a data breach — and attempt to reverse them using their own systems. Instead of targeting a live login page, they work with stolen data locally, using techniques like brute-force or dictionary attacks to uncover the original passwords.

Because this process happens outside the target environment, typical protections like rate limiting, CAPTCHAs, and account lockouts offer no defense. Attackers can run unlimited guesses at high speed, often using powerful hardware. This makes strong, unique passwords and secure hashing methods like salting essential to reducing risk.

Password hacking tools

Password hacking tools include network analyzers and packet-capturing software that intercept data as it moves across a network. These tools allow attackers to monitor traffic and capture login credentials, especially if they’re transmitted over unencrypted connections. In such cases, usernames and passwords can sometimes be read directly from the intercepted data.

Even when data is encrypted, attackers may store captured packets and attempt to crack them later using specialized decryption tools. While commonly associated with hacking, these tools are also used by security professionals to test defenses, monitor network activity, and uncover vulnerabilities before attackers can exploit them.

Here’s a closer look at some specific password hacking tools:

Password crackers

Password crackers are tools that help hackers test stolen passwords or password hashes more quickly. Some are designed to guess passwords offline after a data breach, while others try common logins against online accounts or company systems. Their speed and ease of use have improved as graphics cards and other hardware have become more powerful.

Some of the most common password crackers include:

• Hashcat: Leverages GPU power to test large volumes of password guesses per second, depending on the hash type. It’s often used for advanced techniques like mask attacks.

• John the Ripper: A long-standing, open-source tool first released in 1996. Known for its reliability and methodical approach, it’s widely used by security professionals and penetration testers.

• Medusa: Designed for parallel brute-force attacks against remote authentication services, Medusa tests passwords against wordlists and requires some technical expertise to use effectively.

It’s hard to protect yourself against password-cracking tools. But with the right protection, you can act quickly to change your passwords and secure your accounts in the event of a data breach. Download AVG BreachGuard to monitor the latest data breaches, including on the dark web, and get alerted immediately if one of your passwords has leaked.

AI password cracking tools

AI technology has not only helped boost the capabilities of existing password crackers, but it has also spawned new password cracking tools. This is because AI can rapidly generate smarter, more human-like password guesses, adapt them from real-world patterns, and scale password-guessing operations depending on what is needed.

For example, researchers in 2024 developed a machine-learning password-guessing model called PassTSL, which outperformed several existing password-cracking methods in tests on leaked password datasets. Newer research in 2025 also showed that AI-assisted password-guessing models could significantly improve results by adapting to real-world password patterns, as seen in a model called KAPG

Malware

Certain types of malware can be used to help crack passwords. In particular, keyloggers are a type of malware that secretly record all your keystrokes, including when typing passwords or PINs, and send them back to the hacker.

Keyloggers can end up on your device through other types of malware, including Trojans, adware, and rootkits. Using strong antivirus software can help protect against keyloggers and other malicious software.

How can I stop people guessing my passwords?

The most effective way to prevent password guessing is to use long, unpredictable passwords. Avoid common choices like “password,” “123456,” or personal details such as names or birthdays. It’s also important to use a unique password for each account, enable two-factor authentication, and consider alternative login methods like biometrics to strengthen your security.

Here’s how you can help stop people from guessing your passwords and compromising your accounts:

Create a strong password

Strong passwords are the first line of defense against hackers. You can create a complex password by using a random password generator and following these tips:

• Include a variety of uppercase and lowercase letters as well as numbers and special characters.

• Consider using a passphrase made of random and unrelated words.

• Mix up the distribution of special characters — don’t use just one uppercase letter at the beginning of your password.

• Make the password a minimum of 16 characters.

• Make sure that whatever password you choose is unique to that account.

Use hard-to-guess passphrases composed of random words to keep your accounts secure.

Even sophisticated password-cracking methods running on powerful machines can take a very long time to crack a password that checks all those boxes, especially if it’s long, random, and unique. A good password manager can even generate strong passwords for you, removing the need to come up with them in the first place.

Keep an antivirus running

Robust anti-malware software can help detect a keylogger before it gets the chance to record any sensitive data. AVG AntiVirus FREE will automatically detect and block any malware threats, while scanning and removing malware already present on your device.

Turn on two-factor authentication

Two-factor authentication (2FA) adds another layer of security to your logins by requiring an additional step after entering your password. This is frequently done by getting a unique code via a mobile app, SMS, or email. However, 2FA is not completely foolproof as SMS-based 2FA can still be vulnerable to phishing, SIM-swapping, and other attacks.

Use passwordless authentication

Several passwordless authentication methods can be used to help outwit potential hackers. Chief among these is biometric authentication, such as fingerprint scans and facial recognition. These methods are often used to unlock a secure credential stored on your device.

Other passwordless methods include security keys, physical cards in some workplace systems, one-time login links, and passkeys. Passkeys are cryptographic credentials that are tied to your account and can be stored on your device, in a password manager, or on a security key.

Use a VPN

A VPN (virtual private network) encrypts your internet traffic, so that anyone snooping on the network you’re using can’t read what you’re sending or receiving. Hackers can take advantage of unsecured public Wi-Fi to steal sensitive data such as login details while in transit. One of the benefits of using a VPN is helping protect your traffic on public networks by making intercepted data much harder to read.

Is password cracking illegal?

Cracking a password without authorization is generally illegal, though laws vary by jurisdiction. Accessing accounts or systems without clear permission — even without malicious intentions — can carry legal consequences. And, of course, any password cracking activities taken in aid of illegal hacking are considered a crime.

However, authorized security testing, such as penetration testing with consent, is typically allowed. Likewise, attempting to recover your own password on a system you own is usually lawful, but bear in mind that local regulations and service or workplace agreements may still apply.

Protect your passwords and data from hackers

As password-cracking tools become more advanced, staying protected means taking a proactive approach. AVG BreachGuard helps you stay ahead by monitoring for data breaches, flagging compromised passwords, and assessing your overall password strength.

It also works to remove your personal information from data broker sites, reducing your exposure online. Stay in control of your data and keep your accounts safer with AVG.