Types of password attacks + how to defend against them

A quick guide to password attacks + how to be secured against them?

In a digital world, it is not uncommon to have many online accounts. As much as we like the idea of keeping our most sensitive information safe, many of us prefer the convenience of keeping the same and, in many cases, easily guessable/common passwords across multiple online accounts.

It might make their account vulnerable to password attacks. Attackers know this very well and use password attack methods and automated tools for cracking passwords. They leverage the gaps in cybersecurity awareness, targeting vulnerable accounts in an organization.

Trello, one of the world’s biggest companies, was breached in 2024, with over 15 million user accounts compromised with personal information such as usernames, full names, emails, and other personal info stolen and sold online on the dark web.

Let us look at some of the common methods used by cyber criminals to hack passwords and some of the effective ways to ensure password security.

What are password attacks?

A password attack is when a cybercriminal bypasses password security by trying out multiple combinations of passwords or keys using advanced techniques and automated tools. After gaining access to one account, the attacker can orchestrate another wide-scaled organization-wide cyber-attack.

81% of data breaches are due to the compromise of credentials of workers with weak password security.

Some interesting password facts

The first password attack was orchestrated in 1962 by a Ph.D. researcher trying to access outside the allotted time, printing off all the passwords stored in systems in Compatible Time-Sharing System (CMIT)
An average person has 100 passwords across the internet. (nordpass)
55% of people rely purely on their memory to keep track of passwords. (Bitwarden)
50% of people use the same password for all their logins (Lastpass)
86% of all web application attacks use stolen credentials (Verizon)

How do attackers hack your passwords?

Have you ever seen in movies how a thief tries to break into a door using a lockpick, trying out multiple combinations, and finally, when he reaches the safe, he uses his ear to twist and turn until he hears the lock open? That is kind of how password attacks work.

Passwords are critical security keys that unlock the door of user accounts that store a lot of sensitive information that can be exploited by attackers.

Therefore, cybercriminals use some sophisticated password-cracking techniques to gain access to accounts. Here are some common types of password attacks in cyber security:

The most common types of password attacks

1. Brute-force Attack

What is Brute force attack?

It is the most common attack since it is quite easy to orchestrate and is quite effective. It is an attack where an attacker uses an advanced password-cracking program that tries multiple possible combinations of numbers, alphabets, and symbols until it matches the password.

The program used for brute force takes the password requirements of the account into consideration and systematically tries with the most common passwords first and then uses trial and error to figure out the password.

Therefore, the longer and more complex the password, the more time it takes for the program to figure out the password. As per the research conducted by CloudFlare, a password-cracking program can crack a seven-character password at the rate of 15 million key attempts per second which is around 9 minutes.

How do you protect a brute force password?

Enable MFA (multi-factor-authentication)
Use complex password (follow the tips for setting a strong password)
Take the assistance of experts to set up remote access management

2. Dictionary attack

What is a Dictionary attack?

These attacks are like brute force attacks but use a password-cracking program that utilizes a list of some of the most used passwords. It relies on the fact that most victims use real words and phrases that are in the dictionary as passwords. 

They are more focused attacks compared to brute-force attacks and attackers use a dictionary of collated passwords that help. 

Sophisticated dictionary attacks use more personal dictionaries like most common pet names, child’s names, birthplaces, etc. Modern-day dictionary attacks are highly adaptable and can be customized based on location.

How can we protect against dictionary attack?

Set passwords that aren’t real words in dictionaries (add characters)
Use password managers to generate secure passwords
Enable biometric security

3. Password spraying attack

What is Password Spraying?

A password spraying attack is where an attacker uses a dictionary attack on multiple victims at a time trying out one password or some of the most used passwords/phrases. It is usually quite faster than the brute force method. It counts on the fact that most people keep weak passwords, much like one master key unlocks many safes.

The attacker does this to avoid getting caught or to avoid account lockouts that occur on brute force attack attempts that try several password combinations on a single account. The most favorite victims for target victims with Single Sign-On (SSO) cloud-based applications.

A password-spraying attack is usually conducted by highly sophisticated threat actors. They are some of the most common types of password attacks that are highly challenging to detect and often lead to massive data breaches.

How can you protect against password spraying?

Use expert assistance
Enable active directory password protection
Conduct simulated attacks/ red teaming and pen testing
Implement password-less user access
Enable MFA
Enable Biometric security

4. Rainbow table attack

What is a Rainbow Table Attack?

To provide added security to passwords and make them highly difficult to hack, organizations have started implementing hashes to passwords that encrypt them. Now you must be wondering what hashes are. In simple terms, hashing is a secure way to store passwords by converting them into data that cannot be converted back to the original form.

Therefore, once hashed data cannot be un-hashed back. The attackers have figured a way out of this through rainbow table attacks that utilize rainbow tables that comprise values that help them decipher passwords.

Hackers buy these rainbow tables from the dark web that offer values to common hashing algorithms. They also use easily available tools like Rainbow Crack and 0phcrack to generate rainbow tables. Similar to these attacks are pass-the-hash attacks where attackers steal stored hashed credentials and gain unauthorized access to a network by disguising themselves as legitimate users.

How are rainbow table attacks prevented?

Be aware of suspicious attachments and links
Keep changing passwords more frequently
Keep your system and application software updated

5. Phishing attack

One of the most common password attacks is phishing where attackers use social engineering techniques to trick their victims into giving out their credentials. They pose as legitimate business or fellow employee luring their targets by asking them to change their password, or their accounts need attention or asking them to update their account information.

Attackers may also have specific targets like senior-level executives (whaling). They may engage in quid pro quo attacks where they make their victims believe that they going to get a reward in exchange for their data and access and may inject scareware into their systems. Scareware is any malware that makes the victim panic, anxious, and shocked, manipulating them to install unwanted software.

What are some ways to prevent phishing?

Follow best practices like SLAM to detect phishing
Raise awareness regarding the different types of phishing
Take expert assistance to implement best practices for email security

6. MITM Man-in-the-middle attack

What is MITM (Man in the Middle) Attack?

Another variant of a phishing attack is a man-in-the-middle attack where the attacker acts as a man in between two entities – the victim and the entity that the target is trying to communicate with. There are two kinds of MITM attacks.

One is where the attacker lures the victim in urgency e.g.:- asking them to update their banking information by logging in with their credentials but when they input the credentials they are shown with an error message while the attacker has all of their credentials.

Another type of MITM attack is when the attacker sends a phishing mail to their victim making them install spyware or malware that records their credentials in the background. The other types of MITM attacks include:

WiFi eavesdropping over public network
Spoofing of IP, DNS, HTTP
SSL hijacking
Email Hijacking
Stealing browser cookies

How can man in the middle attacks be prevented?

Use endpoint security (take expert assistance to get it setup for your biz)
Get network security assessed by experts
Patch and update network firmware regularly

7. Credential stuffing

What is Credential Stuffing?

Another kind of attack is credential stuffing where the hackers acquire stolen credentials from a previous data breach and use it to gain access to the accounts. They use a password-cracking program and feed it a list of stolen credentials that it utilizes to crack and decipher the password. These attacks are more precise than brute force and take relatively less time to crack passwords since they use stolen credentials. Hackers buy these credentials from the dark web that are available for sale containing millions and sometimes billions of credentials. It relies on the fact that many people use the same password for many places.

How do you protect against credential stuffing?

Periodically change passwords
Monitor online identities
Use a password manager to create a strong password

8. Keylogger attack

What is a Keylogger?

Keylogger as the name suggests, records all the keystrokes made by the victim and relays it back to the attacker. It is used to keep track of all the information. There are two ways through which an attacker might orchestrate a keylogger.

One way is by sending their victim a phishing email with an attachment that installs the malicious keylogger software to his system and the other way is by physically installing a hardware-based keylogger on the victim’s workstation.

How can keyloggers be prevented?

MFA
Biometrics
Security Scanner
Password manager

WTD?? What’s The Difference?

Difference between brute force attack vs dictionary attack vs Credential Stuffing vs Password spraying

Brute force = Tries every single combination possible

Dictionary attacks = Only tries tried and tested ‘words’

Credential Stuffing = Only tries stolen credentials

Password spraying = Type of a dictionary attack that attempts on multiple accounts at a time

What are some important password attack prevention measures?

Here are some basic measures that you can implement to secure your account from password attack:

 Avoid using personal information.
Update passwords regularly
Use a password manager
Never use the same password for multiple accounts Use strong passwords – use alphanumeric with special characters
When creating a password, always keep it as lengthy and complex as possible
Always check your password strength
Randomize patterns and sequences, making them super difficult to guess
Always avoid sharing your password with anyone. If you have shared it is recommended to change it later
Avoid using public Wi-Fi as hackers can setup a local honey pot to steal your credentials and orchestrate another attacks
Enable 2FA Two-Factor Authentication
Enforce a strong password policy
Prevent using the most commonly used passwords

What is a password manager?

A password manager is a secure service that utilizes hardcore encryption to secure a user’s login details. Given that an average user has more than 100 passwords, it becomes quite challenging to manage all the passwords across multiple locations online.

How do password managers work?

With a password manager, one has to only remember one master password that securely stores all their information that they can access from one place, anytime they want. It helps prevent using the same password in multiple places that is quite risky. It comes with a password generator which can be used to generate a strong and unique password across multiple places online.

Most common Passwords 2024

What are the most common passwords in the world? Here is a list of 30 most used passwords from around the world is yours in there? Check it out. If it is, change it immediately!