Password-based authentication systems face severe security threats from brute-force, dictionary, and rainbow-table attacks. This study systematically analyzes the underlying mechanisms of these three attack types and empirically evaluates the resilience of MD5, SHA-256, and bcrypt under key mitigation strategies—including salting, slow hashing, password complexity enforcement, and account lockout—using John the Ripper and Hashcat. Results demonstrate that bcrypt, when combined with dynamic salting and stringent password policies, significantly enhances resistance to exhaustive search. Moreover, integrating multi-factor authentication (MFA) and risk-adaptive authentication reduces password cracking success rates by over 90%. The study proposes a layered defense framework grounded in empirical validation and designed for practical deployment. This framework provides a quantifiable, actionable pathway for strengthening password security in real-world systems, balancing cryptographic robustness with operational feasibility.

System passwords serve as critical credentials for user authentication and access control when logging into operating systems or applications. Upon entering a valid password, users pass verification to access system resources and execute corresponding operations. In recent years, frequent password cracking attacks targeting system passwords have posed a severe threat to information system security. To address this challenge, in-depth research into password cracking attack methods and defensive technologies holds significant importance. This paper conducts systematic research on system password security, focusing on analyzing typical password cracking methods such as brute force attacks, dictionary attacks, and rainbow table attacks, while evaluating the effectiveness of existing defensive measures. The experimental section utilizes common cryptanalysis tools, such as John the Ripper and Hashcat, to simulate brute force and dictionary attacks. Five test datasets, each generated using Message Digest Algorithm 5 (MD5), Secure Hash Algorithm 256-bit (SHA 256), and bcrypt hash functions, are analyzed. By comparing the overall performance of different hash algorithms and password complexity strategies against these attacks, the effectiveness of defensive measures such as salting and slow hashing algorithms is validated. Building upon this foundation, this paper further evaluates widely adopted defense mechanisms, including account lockout policies, multi-factor authentication, and risk adaptive authentication. By integrating experimental data with recent research findings, it analyzes the strengths and limitations of each approach while proposing feasible improvement recommendations and optimization strategies.