So the classic way a hacker would cracked your profile is by a brute force attack. Its essentially guessing and checking the password. You go to login plug in the email or username and just guess passwords. If you want to check all the variations and no the types of characters that the site allows for password like letters and numbers and special characters you got like 60 characters and you have to try all variations. Depending on how long the password is it can take millions or trillions of tries before the hacker has any statistical chance of cracking the password.

If you got n possible different characters and the password is k long and one characters can appear multiple times, to get the number of possibilities you just do n^k. So for 26 English letters a password thats 8 characters long: 26^8= ~208 billion possibilities. If you can check 1000 passwords per second it would take around 6.5 years to check all of them. So if you check randomly in 3 years you got around 50% chance of finding the password.

As you can see the possibilities grow exponential with the the length of the password so even addig one extra characters can turn a couple of months of guessing and checking to years.

Of course sites dont allow login attempts fast enough for this method to work and even implement safety features like captcha or informing the usere about login attempts. So a hack cant guess and check passwords on site. But the password is stored in the code of the site somehow since when a password is inputed it needs to validate it. The password data is often stored as the output of a cryptographic has function. This gibris looking string can sometimes be found in the html code of the site. What happens is that you input a password the input runs through the algorithm and if the output matches the stored output the password is correct.

So you would think that if you can somehow manage to get the output and know the algorithm you can run it in reverse and get the input. Lets say that the function is H(x) and x is the password like x=1234. So H(1234)=y which is some stupily long gibris but knowing H(x) and y you can make the inverse H^-1 (y)=x. As it turns out you can’t. Its not random think about it like some chaotic system where changing the input parameters slightly massively changes the output. But the same input will always give you the same output, however just by analysing what turns into what you can’t deduct the inverse.

So these has function are great for incryption. But brute force technically still works. Just check all the possible inputs and see if it matches the output you acquired from the site. Of course its still a lot of guessing and checking but the only limiting factor is your computing power. So how many passwords can you run through the function and checking the output each second. Lets work with 60 different characters and a password lenght of 8. We dont know the length but we know that the site allows only 4+ character leght passwords so we add up from 4.

The number of possibilities is 170,808,406,560,000. Lets say we can run 1 million has functions per second. To check all of the is around 5.4 years so for a 50% chance to find a match we sould run the program for 2.5-3 years.

As you can see with brute force attack despite the method you either have to be patient or have an absurd level of computing power. If however your password is only 4 characters it takes 12 seconds with the 1 million has functions per second speed to crack it. So lenght is what really matters.

256 bit incryption for instance turns your input into a 256 bit number and run that through the has function. Well more or less. But in general if you want to finda 256 bit number with brute force you got 2 characters 0 and 1 so 2^256 is the number of possibilities. With 1 million/s speed it would take 2.6×10^53 times the age of the universe to crack it.

So the strength of a password mostly depends on the length of the password. And of course how much information do we give for hacker to figure out possible password. Like important dates, name of dog etc. So the best password is a password that doesn’t relate to you in any way shape of form and is sufficiently long. Also using special characters can make a huge difference. But because of how efficient cryptographic has function are hacker don’t really brute force passwords but try to get it through scams. Like a regular email scam or a fake site.