Stealing the password file from a computer is safer than attempting to log in remotely.

1. Random Guesses

Usernames are the portion of credentials that do not change, and are also highly predictable, regularly taking the form of first initial plus surname. Usernames are commonly an email address, something widely communicated. An attacker now has half the details needed to log into many of your systems. All that’s missing is the password.

A random password guess rarely succeeds unless it’s a common password, or based on a dictionary word. Knowing information about the target identity enhances the likelihood of a successful guess by a threat actor. This information is gathered from social media, direct interaction, deceptive conversation, or even data aggregated from prior breaches.

The most common variants for passwords susceptible to guessing include these common schemas:

  • The word “password” or basic derivations like “passw0rd”
  • Derivations of the account owner’s username, including initials. This may include subtle variations, such as numbers and special characters.
  • Reformatted or explicit birthdays for the user or their relatives, most commonly, offspring
  • Memorable places or events
  • Relatives’ names and derivations with numbers or special characters, when presented together
  • Pets, colors, foods, or other important items to the individual

While automated password cracking tools are not necessary for password guessing attacks, they will improve the success rate.

Password guessing attacks tend to leave evidence in event logs and result in auto-locking of an account after “n” attempts. When account holders reuse passwords across multiple resources with poor password hygiene practices, then the risks of password guessing and lateral movement dramatically increase.

2. Dictionary Attacks

Dictionary attacks are an automated technique utilizing a list of passwords against a valid account to reveal the password. The list itself is a dictionary of words. Basic password crackers use lists of common single words like “baseball” to crack a password, hack an account, and reveal the complete credential.

If the threat actor knows the password length and complexity requirements of the target account, the dictionary is customized to the target. Advanced password crackers often use a dictionary and mix in numbers and symbols to mimic a real-world password with complexity requirements.

An effective dictionary attack tool lets a threat actor:

  • Set complexity requirements for length, character requirements, and character set
  • Manually add words and combinations of words/names
  • Target common misspellings of frequently used words
  • Operate in multiple languages

A weakness of dictionary attacks is that they rely on real words and derivations supplied by the user of the default dictionary. If the real password is fictitious, uses multiple languages, or uses more than one word or phrase, it should thwart a dictionary attack.

The most common method to mitigate the threat of a dictionary attack is account lockout attempts. After “n” times of wrong attempts, a user’s account is automatically locked for a period of time. It must be manually unlocked by an authority, like the help desk or via an automated password reset solution. However, the lockout setting is sometimes disabled. Thus, if logon failures aren't monitored in event logs, a dictionary attack is an effective attack vector for a threat actor.

3. Brute Force

Brute force password attacks utilize a programmatic method to try all possible combinations for a password. This method is efficient for passwords that are short in string (character) length and complexity. This can become infeasible, even for the fastest modern systems, with a password of eight characters or more.

If a password only has alphabetical characters, including capital letters or lowercase, odds are it would take 8,031,810,176 guesses to crack. This assumes the threat attacker knows the password length and complexity requirements. Other factors include numbers, case sensitivity, and special characters in the localized language.

With the proper parameters dialed in, a brute force attack will always find the password, eventually. The computing power required and length of time it takes often renders brute force tests a moot by the time it has completed. The time it takes to perform attacks is determined by the time it takes to generate all possible password permutations. Then, the response time of the target system is factored in.

Brute force password attacks tend to be the least efficient method for hacking a password. Thus, threat actors use them as a last resort.

4. Credential Stuffing

Credential stuffing is an automated hacking technique that utilizes stolen credentials. These credentials are comprised of lists of usernames, email addresses, and passwords. The technique generally leverages automation to submit login requests directed against an application and to capture successful login attempts for future exploitation.

Credential stuffing attacks do not attempt to brute force or guess any passwords. The threat actor automates authentication based on previously discovered credentials using customized tools. This approach can entail launching millions of attempts to determine where a user potentially reused their credentials on another website or application.

Credential stuffing attacks prey on password reuse and are only effective because so many users reuse the same credential combinations across multiple sites.

5. Password Spraying

Password spraying is a credential-based attack that attempts to access many accounts by using a few common passwords. Conceptually, this is the opposite of a brute force password attack. Brute force attempts to gain authorized access to a single account by repeatedly pumping large quantities of password combinations.

During a password spray attack, the threat actor attempts a single, commonly used password (such as “12345678” or “Passw0rd”) against many accounts before proceeding to attempt a second password.

The threat actor tries every user account in their list with the same password before resetting the list and trying the next password. This technique minimizes the risk of the threat actor's detection and lockouts on a single account due to the time between attempts.

With poor password hygiene by any one user or on any single account, the threat actor will likely succeed in infiltrating the resource.

Password attacks are one of the most common forms of corporate and personal data breach. A password attack is simply when a hacker trys to steal your password. In 2020, 81% of data breaches were due to compromised credentials. Because passwords can only contain so many letters and numbers, passwords are becoming less safe. Hackers know that many passwords are poorly designed, so password attacks will remain a method of attack as long as passwords are being used.

Protect yourself from password attacks with the information below.

Phishing is when a hacker posing as a trustworthy party sends you a fraudulent email, hoping you will reveal your personal information voluntarily. Sometimes they lead you to fake "reset your password" screens; other times, the links install malicious code on your device. We highlight several examples on the OneLogin blog.

Here are a few examples of phishing:

  • Regular phishing. You get an email from what looks like goodwebsite.com asking you to reset your password, but you didn't read closely and it's actually goodwobsite.com. You "reset your password" and the hacker steals your credentials.
  • Spear phishing. A hacker targets you specifically with an email that appears to be from a friend, colleague, or associate. It has a brief, generic blurb ("Check out the invoice I attached and let me know if it makes sense.") and hopes you click on the malicious attachment.
  • Smishing and vishing. You receive a text message (SMS phishing, or smishing) or phone call (voice phishing, or vishing) from a hacker who informs you that your account has been frozen or that fraud has been detected. You enter your account information and the hacker steals it.
  • Whaling. You or your organization receive an email purportedly from a senior figure in your company. You don't do your homework on the email's veracity and send sensitive information to a hacker.

To avoid phishing attacks, follow these steps:

  • Check who sent the email: look at the From: line in every email to ensure that the person they claim to be matches the email address you're expecting.
  • Double check with the source: when in doubt, contact the person who the email is from and ensure that they were the sender.
  • Check in with your IT team: your organization's IT department can often tell you if the email you received is legitimate.

avoid phishing attacks

Man-in-the middle (MitM) attacks are when a hacker or compromised system sits in between two uncompromised people or systems and deciphers the information they're passing to each other, including passwords. If Alice and Bob are passing notes in class, but Jeremy has to relay those notes, Jeremy has the opportunity to be the man in the middle. Similarly, in 2017, Equifax removed its apps from the App Store and Google Play store because they were passing sensitive data over insecure channels where hackers could have stolen customer information.

To help prevent man-in-the-middle attacks:

  • Enable encryption on your router. If your modem and router can be accessed by anyone off the street, they can use "sniffer" technology to see the information that is passed through it.
  • Use strong credentials and two-factor authentication. Many router credentials are never changed from the default username and password. If a hacker gets access to your router administration, they can redirect all your traffic to their hacked servers.
  • Use a VPN. A secure virtual private network (VPN) will help prevent man-in-the-middle attacks by ensuring that all the servers you send data to are trusted.

key logger attack

If a password is equivalent to using a key to open a door, a brute force attack is using a battering ram. A hacker can try 2.18 trillion password/username combinations in 22 seconds, and if your password is simple, your account could be in the crosshairs.

To help prevent brute force attacks:

  • Use a complex password. The difference between an all-lowercase, all-alphabetic, six-digit password and a mixed case, mixed-character, ten-digit password is enormous. As your password's complexity increases, the chance of a successful brute force attack decreases.
  • Enable and configure remote access. Ask your IT department if your company uses remote access management. An access management tool like OneLogin will mitigate the risk of a brute-force attack.
  • Require multi-factor authentication. If multi-factor authentication (MFA) is enabled on your account, a potential hacker can only send a request to your second factor for access to your account. Hackers likely won't have access to your mobile device or thumbprint, which means they'll be locked out of your account.

traffic interception

A type of brute force attack, dictionary attacks rely on our habit of picking "basic" words as our password, the most common of which hackers have collated into "cracking dictionaries." More sophisticated dictionary attacks incorporate words that are personally important to you, like a birthplace, child's name, or pet's name.

To help prevent a dictionary attack:

  • Never use a dictionary word as a password. If you've read it in a book, it should never be part of your password. If you must use a password instead of an access management tool, consider using a password management system.
  • Lock accounts after too many password failures. It can be frustrating to be locked out of your account when you briefly forget a password, but the alternative is often account insecurity. Give yourself five or fewer tries before your application tells you to cool down.
  • Consider investing in a password manager. Password managers automatically generate complex passwords that help prevent dictionary attacks.

brute force

If you've suffered a hack in the past, you know that your old passwords were likely leaked onto a disreputable website. Credential stuffing takes advantage of accounts that never had their passwords changed after an account break-in. Hackers will try various combinations of former usernames and passwords, hoping the victim never changed them.

To help prevent credential stuffing:

  • Monitor your accounts. There are paid services that will monitor your online identities, but you can also use free services like haveIbeenpwned.com to check whether your email address is connected to any recent leaks.
  • Regularly change your passwords. The longer one password goes unchanged, the more likely it is that a hacker will find a way to crack it.
  • Use a password manager. Like a dictionary attack, many credential stuffing attacks can be avoided by having a strong and secure password. A password manager helps maintain those.

prevent credential stuffing

Keyloggers are a type of malicious software designed to track every keystroke and report it back to a hacker. Typically, a user will download the software believing it to be legitimate, only for it to install a keylogger without notice.

To protect yourself from keyloggers:

  • Check your physical hardware. If someone has access to your workstation, they can install a hardware keylogger to collect information about your keystrokes. Regularly inspect your computer and the surrounding area to make sure you know each piece of hardware.
  • Run a virus scan. Use a reputable antivirus software to scan your computer on a regular basis. Antivirus companies keep their records of the most common malware keyloggers and will flag them as dangerous.

social engineering attacks

The best way to fix a password attack is to avoid one in the first place. Ask your IT professional about proactively investing in a common security policy that includes:

  • Multi-factor authentication. Using a physical token (like a Yubikey) or a personal device (like a mobile phone) to authenticate users ensures that passwords are not the sole gate to access.
  • Remote access. Using a smart remote access platform like OneLogin means that individual websites are no longer the source of user trust. Instead, OneLogin ensures that the user's identity is confirmed, then logs them in.
  • Biometrics. A malicious actor will find it very difficult to replicate your fingerprint or facial shape. Enabling biometric authentication turns your password into only one of several points of trust that a hacker needs to overcome.