Password hacking


Hackers, the only thing that is keeping them away from your personal information and bank accounts is passwords and emails, of which, the email is probably known, since a lot of people use this email for business.

Attack surface

Most often, password hacking occurs on a individual level, this mean that the person is known ahead of time and the hacker is targeting them for something that they want. Although there are many ways of getting someones password, there are few that are most popular.


Brute force

Brute force is one method that is not that viable in the online services space, simply because such services are often slow in their response (300 millisecond per request / response), but the method needs to try as much passwords as possible. There is also a possibility that the user uses two factor authentication, and even if they have gotten the password to the account, they need to verify with SMS.

This makes brute force not a viable for online services, but if the hacker is trying to breach the password locally, for example, password protected files, this is a viable solution, if and only if, the password is very short. Let’s say we have a password of 2 letters from a-z, then we have 676 tries, but if we add 3 letters then the tries that he needs to do is 17 576. The difficulty of the brute force method though is latency even on local programs, and the fact that the password length isn’t known, nor if they’re only letters or only numbers, which makes the 2 letters from a-z password appear like password with any letters of any language of any length.


Social-engineering refer to hacker playing a game with the victims, by impersonating others, or looking like they’re developing a relationship with the victim. The hacker always strives to be on the good side of the you, and will constantly ask the you questions which will reveal his password. Questions such as, whats your pet name, when is your birthday.

There are many services which give the user the option to enter one of the secret questions with his answer if he forgets his password. The problem with this approach is that those questions can be known by anybody, not to mention that a lot of people suggest new computer users to put passwords that they can remember, such as their date of birth with name combination, or their pet’s name with 123 on the end.

Encryption vs hashing

Lastly just like brute-force method if the password is encrypted, that is, an encryption algorithm is used to encode the password, then that password can be decoded back. The hacker must try to guess what was the key that the program or person used, by trying all sorts of combinations, but unlike the brute-force on the password, this is brute-force on the key which encrypted the password.

However, if the password is hashed, the hacker has diminishing returns of getting the password. What he can try instead to do is to try to get another hash to match the provided answer.

Hashing is when we use a key to generate the encoded password, but unlike the encryption, there is no decryption. So once the hash has been made there is no certain way to get the original password back, instead, what the hacker can get is a collision.


The simplest way to protect yourself from hackers is to have secure passwords, which are more than 8 characters and contain capital letters and numbers which you should rotate often, for example, once a year, this will protect you against any leaks from the services that you have profiles on. Two factor authentication also ensures even if the hacker knows the password he will also need have the phone and get the SMS verification code in order to enter, which makes passwords combined pretty secure. Also though, not so much, that’s why it’s always suggested to use two factor authentication.

More to explore