Learn about five common types of password attacks, from brute force to credential stuffing. Protect your accounts with strong, unique passwords, and enable 2FA!
- Brute Force Attack: Hackers use automated software to try every combination of characters until they find the right one. This is very effective if the password is short or weak, but very time-consuming if it’s long and complex.
- Dictionary Attack: Using a list of common words or previously leaked passwords, attackers try each word one by one. This is faster than brute force because it focuses only on the most common possibilities.
- Rainbow Table Attack: Utilizing a pre-computed hash table to match a stolen hash. With a rainbow table, hackers can find the original password more quickly if the database doesn’t use salting.
- Keylogger: Malware or hardware that records every user keystroke. When the victim types a password, it is immediately recorded and becomes available to the attacker.
- Social Engineering (including Phishing): Hackers trick victims into entering their passwords using fake websites or emails that appear legitimate, and then store all the information for misuse.
- Credential Stuffing: Criminals use leaked credentials from one platform (username + password) and attempt automated logins to other services. This is effective because many people use the same passwords across multiple sites.
Protection Tips:
- Use a combination of long, unique, and random passwords (or passphrases).
- Enable two-factor authentication (2FA/MFA) on important accounts.
- Avoid reusing passwords across different platforms.
- Ensure your system implements modern hashing with salt, such as bcrypt or Argon2.
- Limit the number of failed login attempts (account lockout) to prevent brute-force attacks or credential stuffing.
