Understanding Password Cracking with Python

In this blog, I will explain how passwords are stored, cracked, and how Python can be used to test password security.

What is a Password?

A password is a string of characters used for authentication. It is a critical security measure for protecting user accounts, sensitive data, and systems.

Password Policies

To enhance security, organizations implement password policies, such as:

  • Minimum and maximum password length
  • Use of special characters, numbers, and uppercase letters
  • Password expiration and history
  • Two-factor authentication

Password Hashing

Passwords are not stored as plain text but as hashed values. Hashing converts a password into a fixed-length string using algorithms like:

  • MD5
  • SHA-1
  • SHA-256
  • SHA-512

Types of Password Cracking Methods

Cybersecurity professionals and attackers use various techniques to crack passwords:

  1. Dictionary Attack: Tries common passwords from a wordlist.
  2. Brute Force Attack: Tries all possible character combinations.
  3. Rainbow Table Attack: Uses precomputed hash values.
  4. Hybrid Attack: Combines dictionary and brute force approaches.

Python Password Cracker

The following Python script can be used for password cracking using both dictionary and brute-force methods.


    import hashlib
    import argparse
    import pyfiglet
    import time
    import itertools
    import string

    # Banner
    display_banner = pyfiglet.figlet_format("Password Cracker")
    print(display_banner)

    # Argument Parsing
    parser = argparse.ArgumentParser(description="Advanced Password Cracker")
    parser.add_argument("-hash", "--hash", required=True, help="Hashed password to crack")
    parser.add_argument("-algo", "--algorithm", default="md5", choices=["md5", "sha1", "sha256", "sha512"], help="Hashing algorithm")
    parser.add_argument("-file", "--file", help="Password dictionary file")
    parser.add_argument("-bruteforce", action="store_true", help="Enable brute-force attack mode")
    parser.add_argument("-min", type=int, default=4, help="Minimum length for brute-force")
    parser.add_argument("-max", type=int, default=8, help="Maximum length for brute-force")
    parser.add_argument("-charset", type=str, default=string.ascii_letters + string.digits, help="Character set for brute-force attack")
    parser.add_argument("-output", help="Save cracked passwords to a file")
    args = parser.parse_args()

    # Function to hash words
    def hash_word(word, algorithm):
        encoded_word = word.encode('utf-8')
        return getattr(hashlib, algorithm)(encoded_word).hexdigest()

    # Dictionary Attack
    if args.file:
        with open(args.file, 'r', encoding="utf-8", errors="ignore") as pass_file:
            for word in pass_file:
                if hash_word(word.strip(), args.algorithm) == args.hash:
                    print(f"✅ Password Found: {word.strip()}")
                    break

    # Brute Force Attack
    if args.bruteforce:
        for length in range(args.min, args.max + 1):
            for guess in itertools.product(args.charset, repeat=length):
                password = ''.join(guess)
                if hash_word(password, args.algorithm) == args.hash:
                    print(f"✅ Password Found: {password}")
                    break

Mitigation Techniques

To protect against password cracking, consider:

  • Enforcing strong password policies
  • Using multi-factor authentication (MFA)
  • Implementing rate-limiting on login attempts
  • Using bcrypt or Argon2 for secure password hashing

GitHub Repository

Find the full source code and documentation on GitHub:

Password Cracker GitHub Repository

Thanks for reading! If you found this useful, feel free to share it with your fellow hunters. Happy hacking!