How Hackers Actually Guess Your Passwords
By Leo Martin · · 8 min read
Short answer: they almost never "guess" the way films suggest. Real attacks are automated and impersonal. Software replays passwords leaked from old breaches, runs through dictionaries of common choices, and only falls back on raw brute force for short passwords. Understanding these three methods makes it obvious how to defend yourself — and the defences are refreshingly simple.
Method 1: Credential stuffing — replaying old leaks
This is the big one, and it's the reason reuse is so dangerous. When a website suffers a data breach, lists of usernames and passwords often end up circulating online. Attackers gather these lists and use automated tools to try the same combinations on completely different sites — your email, your shopping accounts, your bank.
The logic is brutally simple: a huge number of people use the same password in several places. So if your login leaked from a forum you forgot about in 2019, and you used that same password for your email, the attacker doesn't need to "crack" anything. They just walk in with the key you already handed over elsewhere.
The fix is equally simple in principle: never reuse a password. If every account has its own unique password, a leak from one site is contained to that one site. This single habit defeats the most common attack on the internet. Generating a fresh password per account with our password generator makes it painless.
Method 2: Dictionary attacks — trying the likely first
When attackers do try to crack a password rather than replay it, they don't start from aaaa and count upward. They start with the passwords people actually choose. Cracking tools come loaded with enormous "dictionaries": lists of common passwords, real words, names, sports teams, keyboard patterns like qwerty, and the most popular leaked passwords from past breaches.
On top of those words, the tools apply "rules" — automatic transformations that mimic how humans tweak passwords. Capitalise the first letter. Add a number on the end. Swap a for @ or o for 0. Stick the current year after a word. Because these are the same predictable tricks most of us reach for, a password like Liverpool2026! is far weaker than it looks — it's a dictionary word plus a couple of obvious rules.
The defence is unpredictability. A password built from random characters or several unrelated random words isn't in any dictionary and doesn't match any rule pattern. That's exactly why the worst passwords lists are full of predictable choices and never random ones.
Method 3: Brute force — the slow, last resort
Pure brute force means trying every possible combination of characters, one after another. It's the method people picture, but in reality it's only practical against short passwords. Here's the key idea: each character you add multiplies the number of possible combinations. Adding length doesn't make a password a bit harder to brute-force — it makes it exponentially harder.
A short password with only a few characters has so few combinations that fast hardware can chew through them quickly. But stretch that password out, and the number of combinations explodes into figures so vast that trying them all would take an impractical amount of time and computing power. This is why length is the single most powerful lever you have. You can watch this effect directly in our password analyser: as you add characters, the estimated strength climbs far faster than when you simply add a symbol or two.
What about phishing and "real" guessing?
Two honourable mentions. First, phishing: instead of cracking your password, an attacker tricks you into typing it on a convincing fake login page. No amount of password strength helps here, which is why being sceptical of unexpected login links matters. Second, genuine personal guessing does happen occasionally — a nosy acquaintance trying your pet's name or birthday. It's real, but it's a tiny slice of the threat compared with the automated attacks above. Don't build your whole strategy around it, but don't make it easy either: avoid obvious personal facts.
Putting it together: your three-step defence
Every method above is beaten by the same short list of habits:
- Unique passwords everywhere stop credential stuffing dead. A password manager makes this effortless.
- Random, unpredictable passwords defeat dictionary attacks — generate them rather than inventing them.
- Long passwords make brute force impractical. Aim for length over fiddly complexity.
- Two-factor authentication is the safety net: even a correct password isn't enough on its own.
Notice that none of this requires you to outsmart a hacker in real time. It just requires removing the shortcuts they rely on. Do that, and you stop being the easy target the automated tools are looking for.
Frequently asked questions
Do hackers really sit and guess my password by hand?
Almost never. The vast majority of attacks are automated. Software tries millions of combinations or replays passwords leaked from other breaches across many sites at once. It's a numbers game, not a personal one.
What is credential stuffing?
It's when attackers take username and password pairs leaked from one breached site and try them automatically on other sites, betting that people reuse the same login. Using a unique password per account defeats it.
How long does it take to brute-force a password?
It depends entirely on length and randomness. Short or common passwords can fall almost instantly, while a long, random password has so many combinations that brute force becomes impractical.
Does two-factor authentication help against these attacks?
Yes, hugely. Even if an attacker has your correct password, a second factor such as an app code or security key means a stolen password alone is not enough to log in.
This article is general security education, not professional advice.