How Password Cracking Works: Brute Force, Dictionary & Rainbow Tables

The Password Cracking Threat

Every year, billions of credentials are exposed in data breaches. When a company's database is compromised, attackers rarely get your password in plain text — modern systems store a hashed version of it. But that doesn't mean you're safe. Password cracking is the art and science of converting those hashes back into the original passwords, and attackers have become extraordinarily good at it.

Modern password cracking rigs can test billions of password candidates per second using consumer graphics cards. A standard desktop GPU can attempt over 20 billion MD5 hashes per second, while dedicated cracking clusters operate at scales that make even eight-character passwords vulnerable within minutes. Understanding how these attacks work is the first step toward building an effective defense.

This isn't theoretical. After the 2012 LinkedIn breach, security researcher Troy Hunt analyzed 117 million leaked passwords and found that the most common was simply "123456." More sophisticated analysis of the 2021 RockYou2021 compilation — which contained over 8 billion unique entries — revealed that the vast majority of real-world passwords can be cracked within hours using standard methodology.

Brute Force Attacks Explained

A brute force attack is the simplest conceptually: try every possible combination of characters until you find the one that produces the correct hash. There's no intelligence involved — just computational power applied systematically.

Given enough time and resources, brute force will always succeed. The question is whether "enough time" means seconds or centuries. The math is straightforward:

A 6-character lowercase password has 26⁶ = approximately 309 million combinations
An 8-character lowercase password has 26⁸ = approximately 209 billion combinations
An 8-character password using lowercase, uppercase, digits, and symbols has 95⁸ = approximately 6.6 quadrillion combinations

At 20 billion attempts per second (achievable with modest GPU hardware), that 6-character lowercase password falls in under a second. The 8-character mixed-character password survives for around 9 minutes. Neither is remotely acceptable for protecting anything of value.

Tools Used in Brute Force Attacks

Attackers use specialized tools like Hashcat and John the Ripper — both freely available and actively maintained. Hashcat supports over 300 hash algorithms and can leverage multiple GPUs in parallel. Cloud platforms like AWS and Google Cloud allow attackers to rent massive compute capacity for short bursts, making even previously impractical attacks economically viable.

Brute force is most effective against short passwords or limited character sets. Attackers typically use it as a fallback when smarter methods fail, or as a final sweep after exhausting other approaches.

Dictionary Attacks and Wordlists

A dictionary attack is dramatically more efficient than pure brute force. Instead of testing every possible combination, it tests a curated list of candidate passwords — words, phrases, and patterns that real people actually use.

The canonical example is the RockYou wordlist: originally leaked from the RockYou social network breach in 2009, it contained 14 million real user passwords. Security researchers use it as a baseline dictionary; it's included with Kali Linux by default. More modern compilations contain hundreds of millions to billions of entries.

Where Wordlists Come From

Modern wordlists are compiled from:

Previous breach data: Every major breach contributes millions of real passwords to attacker wordlists
Linguistic databases: Dictionaries in dozens of languages, including proper nouns, slang, and technical terms
Pattern databases: Common substitutions (a→@, e→3, o→0), keyboard walks (qwerty, 123456), and seasonal patterns (Summer2025!)
Target-specific research: For spear-phishing, attackers may build custom wordlists using their target's name, company, birthdate, and favorite sports teams

Dictionary attacks are terrifyingly effective against "clever" passwords that feel unique to the user. The password P@ssw0rd1 exists in every major wordlist. Manchester2026! will be cracked within the first few passes of a rules-based dictionary attack. Even correcthorsebatterystaple — the famous XKCD example — now appears in breach compilations and wordlists.

Rules-Based Dictionary Attacks

Hashcat and similar tools can apply transformation rules to every word in a wordlist automatically. A single rule might:

Capitalize the first letter
Add !, 1, or 123 to the end
Replace a with @ and e with 3
Prepend the current year

A dictionary of one million words combined with a moderate rule set can generate hundreds of billions of candidates — while remaining far more targeted than pure brute force, because they're all passwords that real humans might actually choose.

Rainbow Table Attacks

Rainbow tables take a different approach: rather than computing hashes on the fly, they precompute a massive lookup table mapping hash values back to their original inputs.

The concept was formalized by Philippe Oechslin in 2003 as an improvement on Martin Hellman's earlier time-memory trade-off attack. The innovation is using "reduction functions" to chain hash computations together, dramatically compressing a lookup table that would otherwise require petabytes of storage into something manageable.

In practice, rainbow tables excel when:

The hash algorithm is fast (MD5, SHA-1, NTLM)
The target password space is limited (e.g., all 8-character alphanumeric passwords)
Passwords are stored without salting

Why Salting Destroys Rainbow Tables

A salt is a random value appended to a password before hashing. Every user gets a unique salt, stored alongside their hash in the database. Even if two users share the password hunter2, their salted hashes will be completely different.

This completely defeats rainbow tables: you'd need to precompute a separate rainbow table for every possible salt value, which is computationally infeasible. Modern password storage systems — bcrypt, scrypt, Argon2 — all incorporate salting by design.

Rainbow table attacks are therefore most dangerous when targeting old, poorly designed systems that store unsalted MD5 or SHA-1 hashes. Unfortunately, such systems remain common in legacy software.

Hybrid Attacks: Combining Methods

Sophisticated attackers don't choose one method — they combine them in what's known as a hybrid attack. A typical hybrid attack workflow might look like this:

First pass: Run the most likely 1,000 passwords from common breach data (catches the low-hanging fruit)
Second pass: Full dictionary attack with top 100 million entries
Third pass: Dictionary with rules (capitalization, leetspeak, numeric suffixes)
Fourth pass: Mask attack targeting specific patterns (?u?l?l?l?l?d?d for passwords like Travel25)
Final pass: Brute force on remaining short passwords

Tools like Hashcat support all these modes and can be scripted to run them sequentially or in priority order. Professional penetration testers use similar pipelines to evaluate an organization's password security.

Credential stuffing is another hybrid technique: rather than cracking hashes, attackers take username/password pairs from one breach and automatically test them against hundreds of other services. Since password reuse is endemic, credential stuffing succeeds at rates of 0.1–2% — meaning a list of 100 million breached credentials will successfully log in to 100,000–2,000,000 accounts.

How Hashing and Password Managers Stop These Attacks

Modern defenses against password cracking operate at two levels: how passwords are stored and how they're created.

Strong Password Hashing Algorithms

The right hashing algorithms make cracking computationally expensive by design:

bcrypt: Intentionally slow, with a configurable "work factor." At work factor 12, bcrypt processes roughly 1,000 hashes per second per GPU — versus 20 billion for MD5
scrypt: Memory-hard in addition to CPU-intensive, resisting GPU-based attacks
Argon2: The winner of the 2015 Password Hashing Competition, and the current gold standard. Configurable memory, CPU, and parallelism requirements

When a service uses Argon2 with appropriate parameters, a modern GPU cluster that can test 20 billion MD5 hashes per second can test only a few hundred Argon2 hashes per second. The difference between cracking in an hour versus cracking in 100 million years.

How Password Managers Help

Password managers defeat dictionary attacks by generating passwords that don't appear in any wordlist — because they're randomly generated. A 20-character random password from Bitwarden isn't a word, isn't a pattern, and has never appeared in any breach. Against a randomly generated password with sufficient length, even the most powerful cracking rig faces an astronomical task.

Practical Tips to Make Your Passwords Uncrackable

Armed with this knowledge, here's what actually protects you:

Use a password manager. Generate unique, random passwords for every account. Something like Xk9#mP2@vL7qN4wR is genuinely uncrackable with current technology, and you don't need to remember it.

Prioritize length over complexity. A 20-character random lowercase string has far more entropy than an 8-character password with symbols. See the password entropy guide for the math.

Never reuse passwords. Credential stuffing means that one breached password exposes every account where you used it. Unique passwords per site make you immune.

Check breach databases. Use HaveIBeenPwned's password check tool (which uses k-anonymity — your password is never sent to the server) to verify whether a specific password appears in known breach data.

Use 2FA as a failsafe. Even if an attacker cracks or steals your password, multi-factor authentication prevents them from accessing your account without the second factor.

Choose services that use modern hashing. When possible, patronize services that are transparent about their security practices. Sites that email you your password in plain text are storing it insecurely — leave immediately.

The threat of password cracking is real and growing as hardware gets cheaper. But with a password manager and good habits, you can make yourself effectively immune to every attack described here. The attackers move on to easier targets — and there are always easier targets than someone using a 20-character random password with 2FA enabled.