Cracking passwords is officially a “script kiddie” activity now.
Password cracking isn’t done by trying to log in to, say, a bank’s website millions of times; websites generally don’t allow many wrong guesses, and the process would be unbearably slow even if it were possible. The cracks always take place offline after people obtain long lists of “hashed” passwords, often through hacking (but sometimes through legal means such as a security audit or when a business user forgets the password he used to encrypt an important document).
Hashing involves taking each user’s password and running it through a one-way mathematical function, which generates a unique string of numbers and letters called the hash. Hashing makes it difficult for an attacker to move from hash back to password, and it therefore allows websites to safely (or “safely,” in many cases) store passwords without simply keeping a plain list of them. When a user enters a password online in an attempt to log in to some service, the system hashes the password and compares it to the user’s stored, pre-hashed password; if the two are an exact match, the user has entered the correct password.
For instance, hashing the password “arstechnica” with the MD5 algorithm produces the hash c915e95033e8c69ada58eb784a98b2ed. Even minor changes to the initial password produce completely different results; “ArsTechnica” (with two uppercase letters) becomes 1d9a3f8172b01328de5acba20563408e after hashing. Nothing about that second hash suggests that I am “close” to finding the right answer; password guesses are either exactly right or fail completely.
Prominent password crackers with names like John the Ripper and Hashcat work on the same principle, but they automate the process of generating attempted passwords and can hash billions of guesses a minute.