System passwords serve as critical credentials for user authentication and access control when logging into operating systems or applications. Upon entering a valid password, users pass verification to access system resources and execute corresponding operations. In recent years, frequent password cracking attacks targeting system passwords have posed a severe threat to information system security. To address this challenge, in-depth research into password cracking attack methods and defensive technologies holds significant importance. This paper conducts systematic research on system password security, focusing on analyzing typical password cracking methods such as brute force attacks, dictionary attacks, and rainbow table attacks, while evaluating the effectiveness of existing defensive measures. The experimental section utilizes common cryptanalysis tools, such as John the Ripper and Hashcat, to simulate brute force and dictionary attacks. Five test datasets, each generated using Message Digest Algorithm 5 (MD5), Secure Hash Algorithm 256-bit (SHA 256), and bcrypt hash functions, are analyzed. By comparing the overall performance of different hash algorithms and password complexity strategies against these attacks, the effectiveness of defensive measures such as salting and slow hashing algorithms is validated. Building upon this foundation, this paper further evaluates widely adopted defense mechanisms, including account lockout policies, multi-factor authentication, and risk adaptive authentication. By integrating experimental data with recent research findings, it analyzes the strengths and limitations of each approach while proposing feasible improvement recommendations and optimization strategies.

翻译：系统密码是用户登录操作系统或应用程序时进行身份验证与访问控制的关键凭证。输入有效密码后，用户通过验证即可访问系统资源并执行相应操作。近年来，针对系统密码的破解攻击频发，对信息系统安全构成严重威胁。为应对这一挑战，深入探究密码破解攻击方法与防御技术具有重要意义。本文对系统密码安全展开系统性研究，重点分析暴力破解、字典攻击、彩虹表攻击等典型密码破解方法，并评估现有防御措施的有效性。实验部分采用常见密码分析工具（如 John the Ripper 与 Hashcat）模拟暴力破解与字典攻击，对五个分别使用消息摘要算法5（MD5）、安全散列算法256位（SHA 256）及bcrypt哈希函数生成的测试数据集进行分析。通过对比不同哈希算法与密码复杂度策略在这些攻击下的整体表现，验证了加盐处理与慢哈希算法等防御措施的有效性。在此基础上，本文进一步评估了广泛采用的防御机制，包括账户锁定策略、多因素认证及风险自适应认证。通过整合实验数据与近期研究成果，分析了各类方法的优势与局限，并提出可行的改进建议与优化策略。