Every service you sign up for promises they take your security seriously. They say your password is “encrypted.” What they usually mean is it’s hashed — a one-way mathematical transformation that turns your password into a string of characters that can’t be reversed back to the original. That’s the theory. In practice, attackers don’t need to reverse the hash. They just need to guess fast enough. And with modern GPUs, “fast enough” means billions of guesses per second.

Here’s the chain: a database gets breached, password hashes get dumped, attackers run those hashes through cracking rigs, and within hours to days, a meaningful percentage of those passwords are recovered in plaintext. Then those plaintext credentials get fed into automated tools that try them against every other service you’ve ever used. This is the breach-to-compromise pipeline, and it works because folks reuse passwords.

The TLDR

Your password isn’t stored as text — it’s stored as a hash, a one-way mathematical fingerprint. But not all hashing algorithms are equal. MD5 and SHA-1 can be cracked at rates of billions per second on consumer GPUs. bcrypt and Argon2 are deliberately slow, making brute force impractical. The real danger isn’t someone cracking your specific password — it’s credential stuffing, where passwords cracked from one breach get automatically tried against thousands of other services. Password reuse is the multiplier that turns a single breach into a cascade of compromised accounts. A password manager generating unique, random, 20+ character passwords for every account is the only practical defense. Length beats complexity. Uniqueness beats everything.

The Reality

The LinkedIn Post-Mortem

In 2012, LinkedIn was breached. Initially, 6.5 million password hashes were posted online. The full scope wasn’t revealed until 2016 — it was actually 117 million accounts. The passwords were hashed with unsalted SHA-1, which in 2012 was already considered negligent by anyone paying attention.

Security researchers cracked a significant portion of those hashes within days. The damage didn’t stop at LinkedIn. Those cracked plaintext passwords got fed into credential stuffing tools and tested against Gmail, Facebook, banking sites, and everything else. People who reused their LinkedIn password — and most did — found their other accounts compromised weeks, months, and years later.

The lesson wasn’t “LinkedIn got hacked.” It was that a single breach, combined with password reuse, creates a years-long chain of downstream compromise. Have I Been Pwned now tracks over 14 billion compromised accounts across 800+ breaches. Your credentials are almost certainly in there somewhere.

The RockYou Breach

RockYou in 2009 was the breach that built the dictionary. The company stored 32 million passwords in plaintext — not hashed, not encrypted, just plaintext. When the database was stolen, it became the foundation for password cracking dictionaries that are still in use today. The RockYou wordlist ships with Kali Linux. Every password cracking tool uses it as a starting point. The top passwords: 123456, 12345, 123456789, password, iloveyou. Fifteen years later, these still appear in breach data with depressing regularity.

How It Works

Hashing — The Theory

A cryptographic hash function takes an input of any length and produces a fixed-length output. The output is deterministic (same input always produces the same hash), one-way (you can’t derive the input from the output), and collision-resistant (it’s extremely hard to find two different inputs that produce the same hash).

When you create an account and set a password, the server hashes your password and stores the hash. When you log in, the server hashes what you typed and compares it to the stored hash. If they match, you’re in. The server never needs to store or know your actual password.

That’s the theory. Here’s where it breaks down.

MD5 and SHA-1 — Fast Hashes for Passwords Are a Disaster

MD5 and SHA-1 were designed to be fast. They’re checksums — meant for verifying file integrity, not protecting passwords. Speed is a feature for checksums and a catastrophic flaw for password storage.

Modern GPU benchmarks using Hashcat tell the story:

At 150 billion guesses per second, an 8-character password using uppercase, lowercase, numbers, and symbols (95 possible characters, ~6.6 quadrillion combinations) falls in under 12 hours. That’s one GPU. Cracking rigs with multiple GPUs multiply this linearly.

Salting — Necessary but Not Sufficient

A salt is a random value (typically 16-32 bytes) generated uniquely per password and prepended or appended to the password before hashing. The salt is stored alongside the hash in the database.

Without salting, every account with the password password123 produces the same hash. An attacker can precompute hashes for millions of common passwords — called a rainbow table — and simply look up hashes in the table. With salting, each account has a unique salt, so even identical passwords produce different hashes. Rainbow tables become useless because you’d need a separate table for every possible salt value.

Salting defeats precomputation attacks. It does not slow down targeted cracking of individual hashes. If an attacker wants to crack your specific hash, they still just try guesses with your salt applied. The salt is stored right next to the hash in the database — it’s not secret. It just prevents mass precomputation.

bcrypt, scrypt, and Argon2 — Password-Specific Hashing

Password hashing algorithms are deliberately slow. This is the key insight: you want login to take a fraction of a second (imperceptible to you), but you want each attacker guess to take that same fraction of a second (devastating at scale).

bcrypt (1999) introduced a configurable work factor — a parameter that controls how many iterations of the hash function are performed. Each increment of the work factor doubles the computation time. At a work factor of 12 (a common default), bcrypt computes around 3,000-5,000 hashes per second on a GPU. Compare that to 150 billion for MD5. The attacker’s cracking speed drops by a factor of roughly 30 million.

scrypt (2009) added memory-hardness. GPUs have massive parallelism but limited memory per core. By requiring large amounts of RAM for each hash computation, scrypt makes GPU and ASIC attacks disproportionately expensive because the attacker needs to buy memory, not just compute cores.

Argon2id (2015) won the Password Hashing Competition and is the current recommendation from OWASP. It’s configurable for time cost (iterations), memory cost (RAM required), and parallelism. It resists GPU attacks, ASIC attacks, and side-channel attacks. If a service is doing password storage right in 2026, they’re using Argon2id.

Rainbow Tables and Lookup Attacks

Before salting became standard, rainbow tables were devastating. A rainbow table is a precomputed mapping of plaintext passwords to their hash values. Instead of cracking each hash individually, you just look it up in the table. Philippe Oechslin’s original rainbow table paper showed that time-memory tradeoffs could reduce cracking time from centuries to seconds.

Today, rainbow tables are largely irrelevant against properly salted hashes, but they remain effective against unsalted MD5 and SHA-1 — which, depressingly, still appear in breach data from legacy systems.

Credential Stuffing vs. Password Cracking

These are different attacks that feed into each other.

Password cracking is the process of recovering plaintext passwords from hashes. It requires a stolen database of hashed passwords. The attacker runs Hashcat or John the Ripper against the hashes, using dictionaries, rules, and brute force. The output is plaintext username-password pairs.

Credential stuffing is the process of taking known username-password pairs (from cracking or plaintext breaches) and automatically trying them against other services. Tools like OpenBullet, SentryMBA, and custom scripts test millions of credential pairs against login endpoints. MITRE ATT&CK T1110.004 documents credential stuffing as one of the most common initial access techniques.

The pipeline: breach happens, hashes get cracked, cracked credentials get added to “combo lists,” combo lists get sold on dark web forums, buyers feed combo lists into credential stuffing tools, accounts where the password was reused get compromised.

Akamai has reported billions of credential stuffing attempts per year across their network. The success rate is low — typically 0.1% to 2% — but at billions of attempts, even 0.1% yields millions of compromised accounts.

Dictionary Attacks — How Dictionaries Get Built

Password cracking dictionaries aren’t just word lists from a dictionary. They’re built from previous breaches. The RockYou list was the seed, but every subsequent breach adds to the corpus. When attackers crack hashes from a new breach, the recovered passwords get added to the master dictionary.

Modern dictionaries include:

Cracking tools apply rules to dictionary words — appending numbers, capitalizing, substituting characters, reversing, combining words. A dictionary of 10 million base words with 100 rules produces a billion candidates. This is why P@ssw0rd! is weak — it’s just password with predictable substitutions that every rule set covers in the first pass.

The Entropy Math

Password strength is measured in bits of entropy — the number of binary decisions needed to guess it. More entropy = harder to crack.

A truly random 8-character password from 95 printable ASCII characters has about 52.5 bits of entropy (log2(95^8)). Sounds decent. But at 5,000 bcrypt hashes/second (a single GPU), that’s about 28 years. At scale (a cracking rig with 8 GPUs), it’s under 4 years. And against MD5? Under a second.

A random 16-character password from the same character set has 105 bits of entropy. At any cracking speed currently achievable, that’s functionally infinite.

But here’s the real insight from NIST SP 800-63B: length matters more than complexity. NIST explicitly recommends against complexity requirements (uppercase, lowercase, number, symbol) because they lead to predictable patterns (Winter2026!). Instead, NIST recommends a minimum of 8 characters (with no maximum — let people use passphrases), checking against known breached passwords, and no forced rotation.

Passphrases — multiple random words strung together — offer high entropy with memorability. correct horse battery staple (the famous XKCD example) has roughly 44 bits of entropy if the words are chosen from a list of 2,048 common words. Five words from a 7,776-word Diceware list gives about 64 bits. Six words gives 77 bits. And you can actually remember them.

Zero-Knowledge Vault Architecture

Password managers like 1Password, Bitwarden, and KeePass use a zero-knowledge architecture — the service provider cannot read your vault because it’s encrypted with a key derived from your master password, which never leaves your device.

The flow:

  1. You set a master password.
  2. The client derives an encryption key from your master password using a KDF (key derivation function) like PBKDF2, scrypt, or Argon2.
  3. Your vault (containing all your stored passwords) is encrypted with this key.
  4. The encrypted vault is stored on the provider’s servers.
  5. When you unlock, the client derives the key locally, decrypts the vault locally, and you see your passwords.

The provider stores your encrypted vault but never has the decryption key. If their servers get breached, the attacker gets encrypted blobs. Without your master password, those blobs are effectively random data — if the encryption is implemented correctly.

This is exactly what happened in the LastPass breach of 2022. Attackers stole encrypted vault data. The vaults encrypted with strong master passwords remain secure. The vaults encrypted with weak or reused master passwords? Those are being cracked. The zero-knowledge model protected the diligent and punished the careless — which is about the best you can hope for in security.

How It Gets Exploited

The LinkedIn Chain

Here’s the full chain, from breach to consequence:

  1. 2012: LinkedIn’s database is exfiltrated. 117 million accounts with unsalted SHA-1 hashes.
  2. 2012-2016: The breach data circulates in private criminal forums. Hashes are cracked progressively — easy passwords first, then rule-based attacks, then brute force.
  3. 2016: The full dataset appears publicly. A significant portion of passwords are now plaintext.
  4. 2016-onward: Credential stuffing tools feed LinkedIn email/password pairs against Gmail, Facebook, banking sites, corporate VPNs, and hundreds of other services.
  5. Years later: People who reused their LinkedIn password lose access to other accounts. Financial fraud, identity theft, and corporate breaches follow.

The LinkedIn breach is still being exploited today. The cracked passwords live in every major dictionary. If your 2012 LinkedIn password was Summer2012! and you used variations of it elsewhere, you’re still at risk.

The Equifax Aftermath

The 2017 Equifax breach exposed personal data (SSNs, birth dates, addresses) for 147 million Americans. While Equifax didn’t lose password hashes in the traditional sense, the exposed personal data supercharged credential stuffing and social engineering attacks. Attackers could now answer security questions, pass identity verification, and reset passwords using real personal information. The FTC settlement reached $700 million, but the downstream fraud continues years later.

GPU Cracking Economics

The economics of password cracking have shifted dramatically. Cloud GPU instances on AWS, Google Cloud, or specialized providers let attackers rent massive cracking power without owning hardware. A rig of 8x RTX 4090s can be rented for a few hundred dollars per day. Against MD5 hashes, this rig can exhaust the entire keyspace of 8-character passwords in hours.

This is why the hashing algorithm matters so much. Against Argon2id with proper parameters, that same rig might crack a few thousand passwords per second. The economics flip — it’s no longer cost-effective to brute-force properly hashed passwords. Attackers shift to dictionary and rule-based attacks, which only work against weak passwords.

What You Can Do

Use a password manager. Full stop. Every password should be unique, randomly generated, and at least 20 characters long. You are not meant to remember these. NIST SP 800-63B explicitly endorses password managers.

Make your master password a strong passphrase. Five or six random Diceware words. Something like pelican drumstick orbital flannel magnet. High entropy, memorizable, not based on personal information.

Check Have I Been Pwned. Enter your email addresses. See which breaches you’re in. Change every password that was exposed — and every password that was the same as the exposed one.

Enable 2FA everywhere. A password manager + 2FA on every account makes credential stuffing useless even if your password hash gets cracked. The cracked password alone isn’t enough.

Never reuse passwords. This is the single highest-impact action. A unique password per account means a breach of one service cannot cascade to others. The password manager handles this for you.

Assume breach. Your credentials have been compromised somewhere. Act accordingly — unique passwords, 2FA, breach monitoring, and credit freezes if personal data was exposed.

Sources & Further Reading