How to crack a password

Expert Brien Posey describes some techniques used to crack Windows passwords and offers several defenses against attack.

Since security and compliance are high priorities for most organizations, it may seem irresponsible for me to write about the finer points of password cracking. However, there are circumstances in which password cracking serves a legitimate business need.

For example, someone once called me because a disgruntled administrator changed all of the passwords before quitting. In another situation, I received a CD with a product that I was reviewing but the sender forgot to give me the password to the .zip archive. These are just two of several instances that have required me to delve into the black art of password cracking.

Password cracking techniques

There is no standard formula for cracking a password: There are different methods depending on the types of passwords you want to crack. Regardless, all password cracks (at least all of the ones that I have used) fall into four categories:

  1. Brute force
  2. Dictionary
  3. Decryption
  4. Circumvention

Brute-force cracks

A brute-force password crack involves trying every possible password combination until you find the one that works. Although this concept seems simple enough, it can be quite difficult. You can't just start entering password combinations at the Windows sign-in screen, for example. Doing so will take a long time, and you will likely lock out the account after a few attempts.

Brute-force cracks are better suited to data files that contain embedded passwords: You might use a brute-force crack against a password-protected Microsoft Word document or a .zip file. The trick is to find a utility that is designed to crack the specific type of file you are working with (the Internet is full of them).

When performing a brute-force crack, the length of the password makes a difference in the time spent cracking. Since long passwords are the norm today, try to find a multi-threaded password-cracking utility that can attempt several password combinations at the same time.

Years ago, if I had to perform a brute-force crack, I would copy the file to several PCs and have each one work on the crack. For example, I would configure one PC to try password combinations that were five characters or less. Another PC might try six- and seven-character passwords, while another might try eight-character passwords.

More information on passwords:

How to crack passwords in Windows 7

Harden passwords with this checklist

Secure your systems with proper password practices

Get your network hacked in 10 easy steps

This technique always worked pretty well except for one occasion in which someone threw me a curveball by using a one-character password. My software cracked the password, but I assumed that the password could not possibly be one character long, so I kept trying.

Defenses against brute-force cracks include locking out users after a few invalid login attempts and requiring users to change passwords frequently. The primary way to prevent an attacker from getting a hash out of the Windows registry or Active Directory is to deny physical access to the server.

Dictionary cracks

Dictionary cracks are similar to brute-force cracks except that the cracking utility uses words out of a dictionary rather than trying every possible password combination. Dictionary cracks used to be the go, however, password complexity requirements have rendered dictionary cracks all but obsolete.


Some older applications still in use today rely on static encryption algorithms. When it comes to cracking a password for such an app, it is easier to decrypt the password than it is to use a brute-force attack (there are utilities that automate the process). Of course, even if you use a utility to perform a brute-force crack against a modern application, that utility is performing decryption behind the scenes by attempting to use each possible password as an encryption key.


Circumvention is usually the most difficult method for cracking a password. The basic idea is to bypass the mechanism that checks for the password. Circumvention can be used for many purposes. For example, some software piracy websites contain homemade patches that circumvent copy protection or license-enforcement mechanisms for various applications.

I have used circumvention to crack a password only once. A client had reset the administrator password for Windows and accidentally entered the new password incorrectly. As a result, the client had no way of logging into the system as an admin.

While I don't want to reveal exactly how I broke in, I will tell you that the process involved removing the server's hard drive and connecting it to another machine. That way, I was free to browse and edit the drive's contents without Windows' security features getting in my way -- I circumvented the Windows security features. I can also tell you that I didn't crack the password, but rather reset it.

The easiest way to crack a password is to find a utility that is specifically designed to crack passwords for the operating system or application you are having trouble with. However, be careful. There are many free password-cracking utilities on hacker sites, but these utilities often include malicious payloads. In my opinion, it is better to procure password-cracking utilities from commercial software vendors. A reputable vendor will typically provide a trial version of its wares that will be able to crack extremely short passwords. You can protect a file with a short password and try to crack your test file. This allows you to confirm that the utility works before you spend any money on it.

Brien Posey
is an eight-time Microsoft MVP with two decades of IT experience. Before becoming a freelance technical writer, Brien worked as a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator at some of the nation's largest insurance companies and for the U.S. Department of Defense at Fort Knox.

Dig Deeper on Windows OS and management

Virtual Desktop