Let’s talk about the identity gaps every team has to close. Join the convo.
Utility navigation bar redirect icon
Portal LoginSupportBlogContact
Search
Portal LoginSupportBlogContact
Search
Get a Demo
Start for Free
HomeCybersecurity 101
Password Cracking: How Attackers Access and Abuse Credentials

Password Cracking: How Attackers Access and Abuse Credentials

Written by: Lizzie Danielson

Published: 6/9/2026

woman at laptop
ChatGPT logoChatGPTOpens in new tabClaude logoClaudeOpens in new tabPerplexity logoPerplexityOpens in new tabGoogle Gemini logoGoogle AIOpens in new tab
AI sparkle iconSummarize This Page
ChatGPT logoChatGPTOpens in new tabClaude logoClaudeOpens in new tabPerplexity logoPerplexityOpens in new tabGoogle Gemini logoGoogle AIOpens in new tab
On This Page

A strong password and MFA are great ways to prevent an attack, but some password cracking techniques punch through the most secure sign ins. You’ll need strong standards and an identity protection tool like Managed ITDR to keep both sides of the authentication process safe. That way, you can secure credentials and immediately know when one gets abused.

In this article, we’ll explore how password cracking works and common methods for safeguarding against these attacks.

Key Takeaways

  • A strong password and multi-factor authentication (MFA) aren’t enough. You need safeguards against password cracking, too.
  • Password cracking tools let threat actors force their way through a login screen with surprisingly advanced methods.
  • Huntress’s managed Identity Threat Detection and Response (ITDR) service checks logins and identity behavior to spot and shut down credential abuse before it gets out of hand.

What’s password cracking, & how does it work?

Password cracking simply refers to different methods for getting a user’s password. Techniques like credential stuffing and brute force attacks sometimes work on the first try, but there’s always another vulnerability for attackers to exploit. A poorly trained help desk employee, for example, is a soft target for social engineering attacks that’ll give an attacker everything they need to crack passwords and bypass MFA.

Threat actors can bypass the normal login flow by going after password hashes instead. Rather than storing passwords in plain text, most systems store salted, hashed versions of those passwords in backend databases. Attackers steal those hashes and run them through cracking tools offline, trying candidate passwords until they find one that produces the same hash. Once they’ve recovered a working password (or, in some cases, a reusable hash), they can authenticate just like a legitimate user.

Five common password cracking methods attackers use

Password cracking mixes an attacker’s efforts with AI. With the right tools, attackers prepare the setup and let automation take over when it’s ready. Keep an eye out for these five password cracking methods that make quick work of your secure passwords.

  1. John the Ripper

    John the Ripper is password cracking software that works both on and offline. There are packages for Windows, Linux, macOS, and more that attackers use to shove their way through local password hashes. It can launch dictionary attacks that try more commonly used phrases and hashes first.

  2. Hashcat (GPU-accelerated)

    Hashcat is a particularly sneaky “open source” tool preferred by hackers for its speed. It’s an in-kernel program, which means it runs directly within your operating system. From there, it’ll make full use of your hardware resources to speed up password cracking. Hashcat is like John the Ripper, but the additional speed means it can complete brute force attacks faster.

  3. THC Hydra (Online cracking)

    THC Hydra is a modified version of the cybersecurity software Hydra. A rare “good-guy” hacking group called The Hacker’s Choice (THC) made it even more useful, lightweight, and user-friendly. They originally designed it for testing purposes, but threat actors have taken advantage of the software, too. THC Hydra cracks passwords using brute-force, dictionary, and rainbow-table attacks.

  4. Large language model (LLM) password crackers

    As if brute force, dictionary attacks, and hashing algorithms weren’t enough to keep up with, AI password crackers are becoming a thing, too. Most are still small-scale, custom jobs that haven’t gotten off the ground. For now, LLMs aren't great at guessing passwords, but that could change overnight, so keep an eye on this space.

  5. Credential stuffing

    When hackers successfully breach stored passwords, they’re often doing so to sell stolen credentials to the highest bidder. Buyers can then try them out on several sites and networks, looking for someone who uses the same password in multiple places. For example, if an attacker buys passwords from a LinkedIn data breach, they might try them on victims’ work emails to access more sensitive information.

Why password cracking still works in MFA environments

While multi-factor authentication is absolutely a valuable safeguard against password cracking, it isn’t perfect. There are several ways to bypass it, like man-in-the-middle tactics or social engineering. If an attacker doesn’t want to go through all that trouble, all they need is an authorized token or a valid cookie to fool MFA into thinking they’re a legitimate user.

That’s why every leak has to be taken seriously; you never know if an attacker managed to grab something on their way out that they can use for a later attack. To keep them from breaking through in the first place, or to catch them in the act, sign up for a managed ITDR that can protect against session hijacking and detect credential theft.

What happens after passwords get cracked: The identity abuse kill chain

Attackers start doing damage right away once they successfully crack a password and gain access. With real logins, they can gain higher-level access and move through your system, gathering data and leaving open backdoors along the way.

Endpoint safeguards detect nothing since the login and behavior appear valid. You need continuous identity threat detection and response like Huntress Managed ITDR to catch and shut down that abuse, even when attackers are logging in with real credentials.

To further reduce the chances of those attacks landing in the first place, you can pair Managed ITDR with Huntress Managed ISPM to harden Microsoft 365 identity configurations and close off common misconfigurations attackers abuse.

How to protect against password cracking & detect credential abuse

Password cracking tools make it easier for threat actors to execute everything from brute force attacks to credential stuffing. The cybersecurity community stays one step ahead of them, though, and you can too with these strategies:

  • Strong password policies: Enforce strict policies that prioritize length over complexity. Attackers have a tougher time cracking longer hashes.
  • Password managers: Use a password manager to ensure people aren’t reusing passwords or making only minor changes during regular resets.
  • Physical credentials: Implement Fast IDentity Online 2 (FIDO2) authentication to eliminate passwords entirely, and use Face ID or hardware security keys instead.
  • Database scanning: An estimated 24B credentials get exposed annually, so search known databases for any that might have been stolen from your organization. If you find any, you know you have two problems: a potential attack and a breach that already happened.
  • Secure hashing algorithms: Use the latest hashing algorithms to scramble stored passwords with sophisticated encryption.

How Huntress Managed ITDR detects credential abuse after passwords are compromised

Huntress Managed ITDR monitors sign-ins and identity activity across Microsoft 365 and Google Workspace to spot unusual activity that might point to credential abuse. Session hijacking, rogue apps, and shadow workflows are sneaky ways attackers can bypass passwords or MFA entirely. Exactly the kinds of identity attacks ITDR is built to uncover and stop.

Huntress scans for suspicious behaviors that other tools miss. Activity like unfamiliar login locations, lateral movement attempts, and MFA bypass techniques all trigger alerts. Our team of 24/7 SOC analysts validate each event, helping IT teams focus on alerts that matter most. And with our three-minute mean-time-to-respond, breaches won’t be a problem for long.

Detect, resolve, and remediate password cracking with Huntress

Password cracking lets attackers break in with legitimate credentials, and they can deal a lot of damage when they get in. Tools like John the Ripper and Hashcat only make this worse by allowing attackers to automate the process.

Although there are many ways to safeguard passwords, managed protection is one of the best options. Huntress Managed ITDR monitors for several suspicious activities to detect, validate, and address compromised passwords. Start a free trial to see for yourself how Huntress provides peace of mind at an affordable price.

ChatGPT logoChatGPTOpens in new tabClaude logoClaudeOpens in new tabPerplexity logoPerplexityOpens in new tabGoogle Gemini logoGoogle AIOpens in new tab
AI sparkle iconSummarize This Page
ChatGPT logoChatGPTOpens in new tabClaude logoClaudeOpens in new tabPerplexity logoPerplexityOpens in new tabGoogle Gemini logoGoogle AIOpens in new tab
On This Page

FAQs

AI password crackers rely on LLMs to spot patterns in hashes and data that humans might miss. That makes them well-suited to decrypting a hashing algorithm, but not many work consistently. While the technology is there, LLM-enhanced password cracking hasn’t surpassed other password cracking tools like THC Hydra, Hashcat, or John the Ripper (yet).

There are several steps you can take to slow down password cracking techniques or stop them in their tracks:

  • Strong passwords: Long passwords create hashes that are harder to crack. Pair that with symbols, numbers, and capital letters, and you have a solid first line of defense against password crackers.
  • MFA: Require MFA so every user has to verify their login on a separately secured device.
  • Physical keys: A physical FIDO2 hardware security key handles logins without passwords, instead relying on face or fingerprint recognition.
  • ITDR and ISPM: A managed ITDR or ISPM service monitors user behavior. They’ll spot credential abuse and shut it down before the attacker can move through your system or open backdoors.
Glitch effectGlitch effect

Protect What Matters

Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.
Try Huntress for Free