5 Password Guessing Attacks – Credential Cracking Techniques Explained



What are the main types of password attacks? The main types of password attacks are password spraying, hash cracking, brute force, dictionary attacks, and rainbow table attacks.

What is brute force password attack? Brute force is when an attacker attempts all possible combinations of characters until the correct password is found, often requiring significant time and computational resources.

What is a password spraying attack? A password spraying attack occurs when an attacker attempts to use a single, commonly used password against a list of legitimate usernames. This allows them to bypass lockout mechanisms that trigger after too many incorrect password attempts on a single account.

What is a dictionary password attack? A dictionary attack uses a pre-compiled list of common words and phrases as passwords, it is more efficient than brute force.

What is hash cracking attack? Hash cracking involves obtaining hashed passwords, and then using various methods to compute the original plaintext passwords from the hashed password.

What is a rainbow table attack? Rainbow tables use a combination of chaining and reduction functions to store a large list hashed values that act as a lookup table for hackers.

Did you know that over 60% of individuals confess to the habit of recycling their passwords? It is not surprising that cybersecurity has become a more critical concern due to the increasing number of incidents in recent years. 2022 witnessed a 65% surge in compromised passwords compared to the year 2000.

Many people don’t realize just how critical it is to keep their passwords safe. Your password security can be the difference between keeping your information safe and having it compromised.

In this blog, we are shedding light on the primary password cracking techniques used by hackers to steal your sensitive information.

Brute Force Attacks

Brute force attacks involve continuously trying different combinations of usernames and passwords until the attacker gains access to the system. There are various types of brute force attacks, and we will discuss them and how to defend against them.


The traditional brute force attack typically starts with the shortest possible password length, which often begins with a single character like ‘a,’ and then systematically generates and tests all possible combinations.

Here’s an example of how it might go:

  1. ‘a’
  2. ‘b’
  3. ‘c’
  4. ‘aa’
  5. ‘ab’
  6. ‘ac’

The attack continues in this manner, incrementing the length and trying all possible combinations until it either succeeds in finding the correct password or exhausts all possibilities. This is not very efficient and is relatively ineffective against strong passwords.

The next method in brute force attacks is known as a dictionary attack. Unlike traditional brute force, dictionary attacks take a more targeted path.

dictionary attack

Instead of exhausting all possibilities, they use pre-made lists of commonly used passwords. You can find lists with millions of password variations online.

In a dictionary attack, attackers use automated tools to systematically test each password from the list against a specific username. While dictionary attacks are more efficient compared to traditional brute force methods, they still struggle when it comes to cracking strong, complex passwords.

pass spraying attack

Password spraying attacks have a distinct strategy to circumvent account lockout mechanisms. Unlike other brute force methods, they iterate through different usernames, applying a single password to each username one at a time.

This attack involves two steps: gathering a list of legitimate usernames, and then attempting a common password against each of these usernames. If the initial password attempt is unsuccessful, the attacker will cycle through a list of other commonly used passwords, testing each one individually against the usernames.

Brute Force Defense

So those are the three main types of brute force attacks used to crack user credentials, but how feasible are these techniques against modern security mechanisms. Well, the types of security measures hackers must bypass are:

  • Account Lockout Policies: Continuously monitor login attempts and lockout accounts temporarily or permanently after a certain number of incorrect login attempts.
  • Rate Limiting: Restrict the number of login attempts per unit of time, making brute force and dictionary attacks less effective.
  • Multi-Factor Authentication: Enforce the use of MFA to add an extra layer of security.
  • Password Complexity Requirements: Enforce strong password policies that require a combination of upper and lower-case letters, numbers, and special characters.
  • Monitoring and Anomaly Detection: Use tools and techniques to monitor and detect unusual login patterns.
  • Geolocation Blocking: Implement IP geolocation blocking to restrict login attempts from specific geographic regions.

Brute force attacks are typically not very successful against systems that implement strong security measures. However, attackers may use certain tactics to bypass these defenses, such as IP rotation, slow brute forcing, or CAPTCHA-solving bots.

front end

One key factor is that brute force attacks often don’t target the ‘front door,’ which is the application’s login form.

Instead, attackers find alternative paths to use their automated tools.

One common strategy is to exploit authentication APIs or endpoints, which are exposed and allow for programmatic logins. These APIs are frequently not adequately protected which could allow for brute forcing.

While brute forcing remains a possibility and is still used by attackers today, the security measures described above make it challenging in terms of both time and resources. In the next section, we will discuss into a more practical password attack method involving stolen password hashes from a database.

Password Hash Attacks

Mixing up of the terms hashing and encryption is a common misconception. These are fundamentally different concepts. Encryption is a process that transforms data in a way that it can be reversed using a specific key, while hashing is a one-way process with no reversal function.


When it comes to password hash attacks, it’s essential to clarify that the passwords are hashed, not encrypted.

Modern databases typically store sensitive information in a hashed state. Hackers can still attempt to recover the plaintext using password hash attacks, which come in two primary methods: hash cracking and rainbow tables.

Hash cracking involves obtaining a list of hashed passwords, which is a challenging task on its own. Once you obtain the hashed passwords, the process is not much different than the other brute force methods.

Hashcat is an opensource project designed specifically for hash cracking, it uses your GPU as a hardware accelerator to speed up this process. Hashcat works by utilizing two methods to crack passwords. The first is traditional brute force, which involves hashing every possible entry and comparing it to the target password hash.

The second is a hashed dictionary attack, which is similar to a standard dictionary attack, but instead of comparing plaintext passwords, it matches the hashes of passwords found in the dictionary.

The effectiveness of hash cracking methods comes from their ability to run locally on your device and utilize a GPU for better performance. Tools like Hashcat can break 6-character passwords in under 24 hours using brute force methods.

Hashcat also gives you the flexibility to customize the dictionary attacks by incorporating common password variations like replacing letters with numbers, such as changing “e” to “3.”

Rainbow Table Attack

The next technique is a bit more complex; it is called a rainbow table attack. Rainbow tables are commonly confused with lookup tables, a lookup table simply has a long list of passwords and their corresponding hashes. This though takes up hundreds of gigabytes of storage, to reduce the amount of storage needed a rainbow table is used.

Rainbow tables use a combination of chaining and reduction functions to save storage space. Initially, a plaintext password is hashed and then reduced using a reduction function to create a new candidate password. This process is repeated iteratively, creating chains of password candidates and corresponding hashes.

The endpoint of each chain, which represents the final hashed value, is stored in the rainbow table which saves significant space. Rainbow tables save storage space but will reduce performance speed.

When an attacker finds a matching hash in a rainbow table, they must follow the chain of hashing and reducing each entry iteratively to eventually arrive at the plaintext value. This process is necessary to recover the original password associated with the hash found in the rainbow table.

Rainbow tables are a bit complicated to explain in a couple short paragraphs, I might write an article just focusing on them.

Salting vs Hash Attacks


Salting refers to generating a random string of characters (the “salt”) and then combining it with the user’s password before hashing. This means that even if two users have the same password, the salts will be different, resulting in distinct hashes for each user.

Without knowing the salt for each user, attackers can’t effectively use precomputed tables or dictionaries to crack passwords. Salting also protects against hash collisions, where different passwords yield the same hash. With salt, every hash is different. Salting makes password hash cracking a much tougher and time-consuming endeavor.


Cracking passwords is a challenging task with limited approaches. It always involves some form of trial-and-error or matching technique. Whether attackers have the hashed passwords or not, cracking a strong password demands a considerable amount of effort and time.

Many argue that humans are the weakest link in cybersecurity, and I tend to agree. Creating a convincing phishing attack is easier than searching for vulnerabilities in database authorization or attempting to steal password hashes.

Stay safe out there!