Passcrack: cracking, hashing, and strength testing for a secure digital future
, , , and
Jun 10, 2025
About this article
Published Online: Jun 10, 2025
Received: Jan 09, 2025
DOI: https://doi.org/10.2478/ijssis-2025-0024
Keywords
© 2025 Pooja Bagane et al., published by Sciendo
This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Figure 1:
Figure 2:
Figure 3:
![Hash Finder. Example of SHA256 hash generation for the word “/)]N;PGFy!23.”](https://sciendo-parsed.s3.eu-central-1.amazonaws.com/678caf4e082aa65dea3d247b/j_ijssis-2025-0024_fig_003.jpg?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=AKIA6AP2G7AKOUXAVR44%2F20250908%2Feu-central-1%2Fs3%2Faws4_request&X-Amz-Date=20250908T041422Z&X-Amz-Expires=3600&X-Amz-Signature=79ec6d26f8473e10fe4df28cd3a616842c3b3a0941480a5a350d93ca7565e1de&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)
Figure 4:
Figure 5:
Figure 6:
Figure 7:
Figure 8:
![Cracking hash of a strong password like “/)]N;PGFy!23”.](https://sciendo-parsed.s3.eu-central-1.amazonaws.com/678caf4e082aa65dea3d247b/j_ijssis-2025-0024_fig_008.jpg?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=AKIA6AP2G7AKOUXAVR44%2F20250908%2Feu-central-1%2Fs3%2Faws4_request&X-Amz-Date=20250908T041422Z&X-Amz-Expires=3600&X-Amz-Signature=56ecde736e945ecdb16db450271d29fb293757d915efb5f3df54aebb83712f13&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)
Figure 9:
Figure 10:
Scoring rubric for password strength
| Length | <8 characters | 8–12 characters | >12 characters |
| Character variety | Only letters or numbers | Mix of letters and numbers | Uppercase and lowercase letters, numbers, and symbols |
| Pattern complexity | Common words, predictable | Partial randomness, slight patterns | No patterns, highly randomized |
| Entropy score | Low (<40 bits) | Medium (40–70 bits) | High (>70 bits) |
| Resistance to attacks | Vulnerable to brute-force, dictionary attacks | Moderate resistance | Highly resistant to attacks |
Comparison of attack success rates based on password strength
| Weak (common words, <8 characters) | password123 | Easily cracked | Very fast | Likely pre-computed | Seconds to minutes |
| Moderate (8–12 characters, mix of letters, and numbers) | Pass1234 | May not be on the list | Feasible | Slower due to partial unpredictability | Minutes to hours |
| Strong (>12 characters, mix of letters, numbers, and symbols) | G@7$#m!Xz29 | Highly unlikely | Requires extensive computation | Not found in pre-computed tables | Years to centuries |
| Very strong (>16 characters, randomly generated) | B^&hZ0sTq1*!93 | Not in dictionaries | Practically infeasible | Hash cannot be reversed easily | Centuries or more |
Summary of key findings and research gaps in prior studies
| Kwon et al. [ |
Classified password-cracking methods into dictionary attacks, brute-force attacks, and hybrid approaches. Highlighted the effectiveness of optimized dictionaries. | Did not explore countermeasures in-depth or propose improved password security strategies. |
| Florêncio and Herley [ |
Found that complexity requirements in password policies often lead to predictable patterns. | Lacked experimental validation of alternative password creation strategies. |
| Toubiana et al. [ |
Demonstrated that user psychology plays a crucial role in password security and retention. | Did not propose concrete solutions to balance usability and security. |
| Bonneau et al. [ |
Reviewed alternative authentication methods like biometrics and hardware tokens. Found limitations in spoofability and hardware failure risks. | Did not address how these alternatives compare in real-world adoption. |
| Wang and Zhang [ |
Found that password managers improve security but also pose risks if compromised. | Did not analyze specific attack vectors against password managers. |
| Liu et al. [ |
Developed a machine learning model for predicting password strength, improving accuracy over traditional heuristics. | Did not implement real-world usability testing for their model. |
| Wu et al. [ |
Showed that cybersecurity training improves password security awareness and user behavior. | Did not measure long-term retention of learned security habits. |
| Hadnagy [ |
Analyzed social engineering attacks and their role in password security breaches. | Did not propose effective large-scale mitigation techniques. |
| Miller et al. [ |
Compared efficiency of password-cracking tools (e.g., Hashcat and John the Ripper). | Lacked evaluation of emerging AI-powered password-cracking methods. |
| Das et al. [ |
Investigated rainbow table attacks and emphasized salting as an effective countermeasure. | Did not explore advanced alternatives such as memory-hard hashing functions. |
| McCarty and Leach [ |
Explored MFA as a supplement to passwords. Found usability challenges limiting adoption. | Did not propose strategies for improving MFA usability. |
| Zhang et al. [ |
Developed a deep learning model to predict weak passwords with high accuracy. | Lacked analysis on defenses against AI-driven password attacks. |
| Wu et al. [ |
Demonstrated that longer passwords significantly reduce cracking success rates. | Did not evaluate the usability trade-offs of very long passphrases. |
| Ruoti and Muir [ |
Studied password reuse across multiple sites and found that reuse increases vulnerability. | Did not propose large-scale mitigation strategies for password reuse. |
User engagement and password security insights
| Total users engaged | >500 | Indicates strong interest in password security. |
| Average password length | 9.2 characters | Suggests most users create moderately strong passwords. |
| Weak passwords detected | 42% | A significant portion of users still use insecure passwords. |
| Moderate passwords detected | 35% | Users have some security awareness but room for improvement. |
| Moderate passwords detected | 35% | Users have some security awareness but room for improvement. |
| Strong passwords detected | 23% | Only a minority of users follow best practices for password security. |
| Most common attack success rate | 60% (dictionary attacks) | Highlights the widespread use of common or predictable passwords. |
| Average time to crack weak passwords | <1 min | Demonstrates how easily weak passwords can be exploited. |
| Average time to crack strong passwords | >10 years | Strong passwords remain highly resistant to attacks. |
| Most common hashing algorithm used | SHA-256 | Indicates the preferred standard among users. |
| User improvement after feedback | 30% improved passwords | Shows the educational impact of PassCrack recommendations. |