How Attackers Actually Crack Passwords
Most people imagine a hacker sitting at a keyboard, typing guesses one by one. The reality is very different. When a database is breached, attackers get a dump of hashed passwords: a one-way fingerprint of your password that the server stores instead of the real thing. Their job is then to reverse-engineer those fingerprints at scale, using automated tools running on powerful hardware.
They don't start by guessing randomly. They start with a dictionary attack: running through millions of known passwords, common words, and phrases from previous breaches. If your password is anything resembling a real word or a known pattern, it gets caught here first.
Next come rule-based mutations. Attackers know that when people are told to "make it complex," they do predictable things: capitalize the first letter, substitute o for 0, add a ! at the end. Tools like Hashcat have these rules built in. So password automatically becomes P@ssw0rd, Password1, p4ssword!, and thousands of variants, all tested in seconds.
Finally, for short passwords that survive the above, there's brute force: trying every possible combination of characters systematically. On modern consumer hardware, this can run at billions of guesses per second for common hashing algorithms. Short passwords, no matter how "complex" they look, simply don't have enough combinations to survive this.
Why Length Matters More Than Complexity
Every character you add to a password doesn't just add one more possibility; it multiplies the total number of combinations. This is what's called entropy: a measure of how unpredictable and hard to guess a password is. A short password with symbols has far less entropy than a long password with only lowercase letters.
To make this concrete, here are rough crack time estimates for a standard hashing algorithm under a determined attacker with capable hardware:
| Password | Length | Looks Strong? | Estimated Crack Time |
|---|---|---|---|
dog |
3 | No | Instantly |
Summer2026! |
11 | Yes | Hours to days |
P@ssw0rd1! |
10 | Yes | Minutes (it's in every attack list) |
correct-horse-battery-staple |
28 | No | Centuries |
xK9!mPqL2#nRvT |
14 | Yes | Millions of years |
The four random lowercase words beat the "complex" short passwords by an enormous margin, not because they follow the rules, but because they're long and unpredictable. This idea was popularized by the XKCD comic #936, and it holds up under real cryptographic analysis.
Passwords That Look Strong But Aren't
This is the most important section to internalize. The following types of passwords feel secure but are among the first things an attacker's tools will try:
- Leetspeak substitutions:
P@ssw0rd,S3cur1ty!: these substitutions are fully baked into every modern attack tool. They add almost nothing. - Predictable patterns:
Password1!,Qwerty@123,Welcome2026!: these technically pass complexity rules and are also on every attacker's list. - Personal information: Your name, birthday, pet's name, or city, even combined with numbers, are guessable through targeted attacks and social engineering.
- Symbol tacked on the end:
Dragon$,Football7!: adding a symbol to a dictionary word at the end is one of the most common patterns attackers exploit. - Reused passwords: Even a strong password becomes dangerous the moment you use it on more than one site. When one site is breached, attackers immediately try those credentials everywhere else. This is called a credential stuffing attack.
What a Good Password Actually Looks Like
There are two reliable approaches:
- A random passphrase: Four or more unrelated words strung together, ideally with a separator. Something like
marble-frog-ceiling-lamp. Long, memorable, and extremely high entropy. Add a number or symbol if a site requires it, but the length is already doing the heavy lifting. - A random string from a password manager: Something like
xK9!mPqL2#nRvT. You don't need to remember it; your password manager does. This is the gold standard for individual account security.
The common thread: randomness and length, not the appearance of complexity.
Obviously Bad Passwords (for reference)
These are the most commonly used passwords in the world, and the first ones any attacker tries. If yours resembles any of these, change it today:
123456passwordiloveyouadminletmeinqwerty
Why HexaVault Has Password Rules, and Why They're Not Enough on Their Own
HexaVault requires a minimum of 10 characters with at least one uppercase letter, one lowercase letter, one number, and one special character. These rules exist to eliminate the very worst passwords, the ones that would fall in seconds. They set a floor, not a ceiling.
The honest truth is that Password1! passes our rules. It checks every box. And it would still be cracked quickly in a breach scenario, because it matches patterns that attackers have already mapped. The rules are a safety net, not a substitute for a genuinely strong password. We enforce them because they meaningfully reduce the population of extremely weak passwords, but we want you to go further.
How HexaVault Protects You at the Infrastructure Level
Even with a weak password, HexaVault's architecture makes an attacker's job significantly harder. Here's how.
We never store your password. We store a hash - a one-way fingerprint computed from your password. What makes HexaVault's approach stronger than many systems is the combination of two things:
- Per-user salt: Before hashing, we add a unique random value - a salt - to each user's password. This means even if two users have the exact same password, their stored hashes look completely different. It also makes precomputed rainbow table attacks useless, because the attacker can't reuse any precomputed work across accounts.
- Argon2id hashing: We use Argon2id, the winner of the Password Hashing Competition and the current best-practice standard. Unlike fast hashing algorithms (which can be run at billions of guesses per second), Argon2id is deliberately slow and memory-intensive by design. This limits an attacker to a handful of guesses per second even on powerful hardware. We cover this in more depth in our Security Architecture article.
To put this in perspective: if an attacker somehow obtained both your salt and your Argon2id hash, cracking a strong password like a 4-word passphrase would take longer than the age of the universe on realistic hardware. But a weak password like Summer2026! could still fall within hours, even through Argon2id. Our defenses are strongest when paired with a strong password. Security here is a collaboration between the platform and you.
What You Should Do
- Use a password manager. Tools like HexaVault, Bitwarden, 1Password, or similar let you generate and store long, truly random passwords for every site without memorizing them.
You can use our password generator to create a strong password. It runs entirely in your browser, nothing is sent to our servers.
- Use a unique password for every account. Reuse is the single biggest real-world risk. One breach anywhere becomes a breach everywhere if you reuse passwords.
- Prefer length and randomness over complexity tricks. A 20-character random string or a 5-word passphrase beats
P@ssw0rd1!every time. - Enable two-factor authentication. Even a compromised password can't get an attacker in if 2FA is active.
- Check if your email has appeared in known breaches at HaveIBeenPwned.com. If it has, change the affected passwords immediately.
The Bottom Line
A password that looks strong and a password that is strong are often very different things. Attackers are sophisticated, automated, and fast - and they've seen every trick in the book. Length, randomness, and uniqueness are what actually matter.
HexaVault's infrastructure adds meaningful layers of protection on top of whatever password you choose. But those layers work best when your password is genuinely hard to guess in the first place. Choose well, use a password manager, and let us handle the rest.
