Loading module...
Loading module...
GSA-03
Understand how passwords are cracked, why password managers are essentiadd_frontmatter 03-passwaut
General Security Awareness Training
Estimated Time: 15 minutes
By the end of this module, you will be able to:
Most people imagine password cracking as someone sitting at a keyboard, typing guesses one at a time. The reality is nothing like that. Modern password cracking is automated, GPU-accelerated, and fast enough to try billions of combinations per second against stolen password databases.
To understand why this matters, you need to know what happens behind the scenes when you create an account.
Reputable services don't store your password in plain text. They run it through a mathematical function called a hash, which produces a fixed-length string of characters. The hash for "password123" might look like ef92b778bafe771e89245b89ecbc08a44a4e166c06659911881f383d4473e94f. The service stores that hash, not your actual password. When you log in, the system hashes what you type and compares it to the stored hash. If they match, you're in.
The important thing: hashing is a one-way function. You can't reverse-engineer "password123" from the hash. But you can generate hashes for millions of guesses and compare them to the stored hash until you find a match. That's what cracking is.
1. Credential stuffing. This is the most common attack, and it doesn't require any cracking at all. Attackers take username/password pairs leaked from one breach and try them on other services. If you used the same email and password for your LinkedIn account and your work Okta login, a LinkedIn breach just became a breach of your company's systems. Credential stuffing accounts for the majority of automated login attacks, and it works because people reuse passwords.
2. Dictionary attacks. The attacker runs through a list of common passwords, words, and phrases. These dictionaries aren't just English words. They include the most commonly used passwords from every major breach ever published: "password," "123456," "qwerty," "letmein," "iloveyou," and millions of variations. If your password is a recognizable word or common phrase, it falls in seconds.
3. Hybrid attacks. Attackers know that people try to be clever by appending numbers or swapping characters. A hybrid attack takes dictionary words and automatically tries predictable mutations: capitalizing the first letter, adding "123" or "!" at the end, swapping "a" for "@" and "o" for "0." This is why "P@ssw0rd123!" isn't clever. It's the first thing a hybrid attack tries.
4. Brute force. The attacker tries every possible combination of characters. This sounds slow, but modern hardware makes it terrifyingly fast. According to the 2025 Hive Systems Password Table (the industry's most widely referenced cracking benchmark), a system running 12 RTX 5090 GPUs can crack an eight-character lowercase password in three weeks. An eight-character numeric password falls instantly. Compared to 2024, cracking times dropped nearly 20% in a single year due to advances in consumer GPU hardware. And with AI-grade hardware (the same systems used to train large language models), cracking speeds have surged by over 1.8 billion percent compared to consumer machines.
5. Phishing. Why crack a password when you can just ask for it? As we covered in Module 2, phishing remains one of the most effective ways to harvest credentials. No amount of password complexity protects you if you type that password into a fake login page.
Two conclusions fall out of this:
Length beats complexity. An eight-character password with uppercase, lowercase, numbers, and symbols might take years to brute-force. But a 16-character passphrase using only lowercase letters could take millions of years. Every additional character exponentially increases the time required. "correct horse battery staple" is dramatically harder to crack than "P@ss1!" even though one uses only lowercase letters and spaces.
Uniqueness is non-negotiable. The strongest password in the world is worthless if you use it on two services and one of them gets breached. Credential stuffing doesn't care about complexity. It cares about reuse.
This is the single most important concept in this module, so let's be direct: if you reuse passwords, nothing else in this section matters.
Here's why. Breaches happen constantly. Over 12 billion credential pairs have been exposed in data breaches cataloged by HaveIBeenPwned as of early 2025. That's not 12 billion attempts. That's 12 billion actual username-and-password combinations floating around the internet, available to anyone willing to look.
When a service you use gets breached, the attackers don't just target that service. They take your email and password and test them against hundreds of other services automatically: your bank, your email provider, your company's VPN, your cloud storage, your HR portal. If you've reused that password anywhere, every one of those accounts is now compromised.
This is not theoretical. Stolen credentials were the initial access vector in 53% of data breaches in 2025. More than half of all breaches started with a password that was already known to the attacker because it had been exposed somewhere else.
The only defense is using a unique password for every single account. And since no human can memorize hundreds of unique, strong passwords, that brings us to password managers.
A password manager is software that generates, stores, and fills in strong, unique passwords for every account you use. You remember one strong master password (or use biometrics to unlock the vault), and the manager handles everything else.
When you create a new account, the password manager generates a random password (something like k7#Rm!9xVp2$wLnQ). It stores that password in an encrypted vault on your device or in the cloud. When you visit the login page, the manager auto-fills the credentials. You never need to see, type, or remember the password.
Password managers solve the reuse problem at its root. When every account has a unique, randomly generated password, a breach at one service can't cascade to another. They also eliminate phishing risk in an unexpected way: a password manager auto-fills credentials based on the actual URL of the site you're visiting. If you land on a phishing page at micr0soft-login.com instead of microsoft.com, the manager won't offer to fill in your credentials because it doesn't recognize the domain. That mismatch is a built-in phishing detector.
"What if the password manager itself gets hacked?" This is a valid question, and it happened to LastPass in 2022. But the data stolen in that breach was encrypted vault data, and users with strong master passwords remained protected. The alternative, reusing weak passwords across dozens of services, is demonstrably worse. A password manager centralizes risk but dramatically reduces the attack surface.
"What if I lose access to my vault?" Every reputable password manager provides recovery options: recovery keys, emergency contacts, or backup codes. Set these up when you create your account, not after you've been locked out.
"Isn't it putting all my eggs in one basket?" Yes, but it's a heavily armored basket. The alternative is scattering your eggs across dozens of unguarded baskets (your memory, sticky notes, spreadsheets, browser autofill without a master password). One basket with strong encryption and a strong master password is safer than many baskets with no protection at all.
Your organization may require or provide a specific password manager. If so, use it. If not, reputable options include 1Password, Bitwarden, and Dashlane. The specific product matters less than the habit: every account, every time, a unique password.
Even with a strong, unique password, a single factor of authentication isn't enough. If that password is exposed in a breach, phished, or stolen from your device, the attacker has everything they need. Multi-factor authentication adds a second verification step that makes stolen passwords far less useful.
MFA works on the principle of requiring two or more of the following:
An attacker who steals your password still can't get in without the second factor. Microsoft's data confirms that MFA blocks 99.9% of automated credential attacks. That single statistic makes MFA one of the highest-impact security controls available.
Not all MFA is created equal. Here's how the most common methods compare, from weakest to strongest.
SMS codes (weakest). A text message with a one-time code sent to your phone. This is better than no MFA at all, but it has known vulnerabilities. Attackers can intercept SMS codes through SIM swapping (convincing your mobile carrier to transfer your number to their device) or through social engineering of carrier support staff. Multiple institutions are actively phasing out SMS as a primary MFA method. Use it if it's your only option, but move to something stronger if you can.
Authenticator apps (good). Apps like Google Authenticator, Microsoft Authenticator, or Authy generate time-based one-time passwords (TOTP) that rotate every 30 seconds. These codes are generated on your device and never transmitted over a network, which eliminates the SIM-swapping vulnerability. Authenticator apps are a solid upgrade from SMS and work well for most people. However, they can still be phished in real time if an attacker sets up a proxy site that relays your code to the real login page as you type it.
Push notifications (good, with caveats). Services like Duo and Microsoft Authenticator can send a push notification to your phone asking you to approve or deny a login attempt. This is convenient, but it's vulnerable to MFA fatigue attacks (more on that in a moment). If your service supports number matching (where you must type a code displayed on the login screen into the push notification), enable it. Number matching turns a reflexive tap into an intentional decision.
Hardware security keys (strongest traditional MFA). Physical devices like YubiKeys or Google Titan keys plug into your computer's USB port or tap via NFC. They use cryptographic protocols that are bound to the specific website's domain, which means they cannot be phished. A hardware key will not authenticate to a fake login page, period. They're immune to SIM swapping, prompt bombing, and real-time phishing proxies. The tradeoff is that you need to carry the physical device.
Passkeys (strongest, and the future). Passkeys are the next evolution of authentication, built on the FIDO2/WebAuthn standard. They replace passwords entirely with cryptographic key pairs stored on your device. When you log in, your device proves your identity using a private key that never leaves the device, unlocked by your fingerprint, face scan, or device PIN. Passkeys are phishing-resistant by design: the authentication is cryptographically bound to the legitimate website's domain. They can't be typed into a fake site, can't be intercepted, and can't be reused. Apple, Google, and Microsoft have all built passkey support into their platforms, and adoption is accelerating. If a service offers passkey support, use it.
MFA fatigue (also called prompt bombing or push bombing) is a social engineering technique that targets human patience rather than technical vulnerabilities.
The attacker already has your username and password (from a breach, phishing, or purchase on the dark web). They attempt to log in to your account, which triggers an MFA push notification to your phone. You deny it. They try again. Another notification. You deny it. They try again. And again. And again, sometimes at 1 a.m. when you're trying to sleep.
The goal is to send so many notifications that you eventually approve one just to make them stop. Or you tap "Approve" by accident because you're so used to dismissing notifications that your muscle memory takes over.
This technique was used in high-profile breaches at Uber, Cisco, and other major companies. In the Uber case, the attacker bombarded an employee with push notifications and then sent a WhatsApp message posing as IT support, telling the employee they needed to approve the notification to fix a system issue. The employee approved. The attacker was in.
Never approve an MFA prompt you didn't initiate. This is the single most important rule. If you receive a push notification or authentication request that you did not trigger by actively trying to log in, deny it immediately. Then report it to your IT/security team, because it means someone has your password.
If the prompts keep coming, don't just ignore them. Report the situation to IT immediately. Repeated MFA prompts mean an attacker is actively trying to break into your account right now. Your security team needs to know so they can lock the account, force a password reset, and investigate.
Enable number matching if available. Number matching requires you to enter a specific code from the login screen into the push notification. This prevents accidental approvals because you can't match a number you never saw.
Consider switching to a hardware key or passkey. These methods eliminate the fatigue vector entirely because there's no notification to approve. Authentication requires physical possession of the key or biometric verification on your device.
Forget the old advice about changing your password every 90 days. NIST updated its password guidelines (SP 800-63B) and now explicitly recommends against mandatory periodic rotation because it leads to predictable patterns (Winter2025, Spring2025, Summer2025). Instead, focus on the rules that actually reduce risk:
Use a unique password for every account. This is rule number one, two, and three. A password manager makes this practical.
Make passwords long. Aim for 16 characters or more. Passphrases (multiple unrelated words strung together) are both strong and memorable. Length matters more than complexity.
Don't use personal information. Your dog's name, your birthday, your street address, your kid's name followed by their birth year: all of these are discoverable through social media and are among the first things an attacker tries.
Enable MFA everywhere it's available. Especially on email, cloud storage, financial accounts, and any work systems. Use the strongest method available to you.
Never share your password with anyone. Your IT team will never ask for it. Your manager doesn't need it. No legitimate service will ever request it by email or phone. Anyone asking for your password is either an attacker or someone who doesn't understand security.
Report compromised credentials immediately. If you discover that a service you use has been breached, change your password on that service immediately. If you reused that password anywhere else (please stop doing that), change it everywhere. Then tell IT so they can check for unauthorized access.
Next up: Module 4, Data Classification & Handling, where we'll cover the different categories of data your company handles, the rules for each, and how accidental exposure happens more often than you'd think.
Module Version: 1.0
Last Updated: March 2026
Framework References: NIST Cybersecurity Framework 2.0 (Protect), NIST SP 800-63B (Digital Identity Guidelines), SOC 2 Trust Services Criteria (CC 6.1)
Data Sources: Hive Systems 2025 Password Table, Verizon Data Breach Investigations Report 2025, IBM/Ponemon Cost of a Data Breach Report 2025, Microsoft Security Research