8 Worst Password Attack Types & How to Stop Them

Robert MacDonald

Password attacks are becoming easier to achieve with most people having too many passwords to remember, leading them to use the same password over and over.

What is a password attack? Password attacks are malicious ways hackers attempt to gain access to your account. Examples of password attacks include brute-force attacks, credential stuffing, and password spraying.

What Is Password Security?

A study commissioned by NordPass showed that most individuals are working with around 100 different passwords. It’s no wonder, then, that passwords are often the most attractive target for hackers looking to break into enterprise systems. According to IBM, data breaches cost businesses an average of $1.07 million.

As multi-user systems and the internet became the norm, system designers and admins used username and password combinations as a logical and simple approach to security.

This approach made sense at the time, when physical limitations meant that systems had limited users, and users, in turn, had little use for multiple system accounts. The explosion of online services like email, social media, e-commerce, cloud storage, and banking led to individuals having several accounts across dozens of platforms, each with their own unique account information. 

Relying on passwords, essentially, led us to critical security issues:

  • Simple Passwords: Passwords should be hard to guess, but users faced with memorizing 100 complex passwords will often instead opt to create simple ones —simple passwords that are, unfortunately, easy to guess or break. 
  • Reused Passwords: Even a handful of passwords are difficult to remember, and users aren’t prone to writing every single password down. Instead, as Infosecurity Magazine notes, up to 65% of users reuse the same or similar username/password combinations across multiple accounts. This includes reuse of credentials across consumer and work-related accounts. 
  • Password Theft: Password systems aren’t interested in the actual user sitting at a computer, only that they have the right credentials. That means that passwords are much easier to steal and use without repercussion. 

These practices prevent a unique problem for security experts and administrators. First, simple passwords are easy to hack, even with the simplest methods. Second, hackers who steal credentials from one platform can attempt them across several major platforms with a relatively high success rate. 

The relative strength of the password is also subject to the cyberhealth of the user, including how well they protect knowledge of their passwords. 

What Are the 8 Most Prominent Password Attacks?

Based on these three potential problems, a whole host of attacks have emerged to try and steal login credentials from users. 

It’s important to understand the impact that password attacks have on cybersecurity. We often have an image of hacking in our heads that comes from movies, one that isn’t quite based on reality. Instead of shadowy figures directly connecting to external systems, most breaches start when a hacker gets access to that system from password theft.

With that in mind, here are some of the most common password attacks:

Brute-Force 

The simplest and slowest form of password attack is the brute-force method. Automated systems manually attempt several million, billion, or trillion combinations of letters and numbers in the hope of accidentally stumbling on an account password. 

This form of attack isn’t practical for online accounts for the most part, where page loading times and server security features (like limiting page requests) limit effectiveness. However, a brute-force method can potentially pose a threat to stolen hardware or databases where the hackers can mount attacks in real time without an internet connection. 

The following methods can help prevent brute-force attacks:

  • Utilizing complex passwords with combinations of upper- and lowercase letters, numbers, and symbols can make guessing difficult.
  • Using longer passwords is also preferable, as longer passwords add exponential layers of complexity to brute-force guessing. 
  • Enact account lock if a user provides an incorrect password too many times. A locked account with limited cooldown time can thwart brute-force attacks. 
  • Implementing multi-factor authentication and passwordless solutions can eliminate the effectiveness of brute-force attacks, as they require credentials that these methods cannot replicate. 

Dictionary

Dictionary attacks try words from a predetermined list in attempt to brute-force an account’s password. These dictionaries, while including fewer overall words, will often focus on “common” passwords compiled by hackers over the years. The lists  can also include terms from actual dictionaries, common names, or combinations of dates and locations. 

The following methods can help prevent dictionary attacks:

  • Avoiding common passwords made of readable words, even if you are using combinations of common words. 
  • Creating passwords out of random or seemingly random combinations of letters, numbers, and characters.
  • Enacting account lock if a user provides an incorrect password too many times. A locked account with limited cooldown time can thwart brute-force attacks. 
  • Implementing multi-factor authentication and passwordless solutions can eliminate the effectiveness of brute-force attacks, as they require credentials that these methods cannot replicate. 

Keyloggers

Keyloggers are types of software that monitor keystrokes on the host system and copy that information into a text file. These types of software can come from some other kind of hack, like an infected email attachment or something installed locally on the machine. A keylogger will expose any passwords typed by the user. 

The following methods can help prevent keylogger attacks:

  • Scanning systems for malware or other malicious software using antivirus tools, and checking for unexpectedly installed software in the system. 
  • Maintaining complete physical protection over physical computers, including strong authentication for workstations and physical security (locks, keypads, and cameras) in any area where computers are located. 

Credential Stuffing

It’s common for a hacker, upon hacking one account, to attempt using those credentials on several other accounts. Similarly, hackers who steal passwords (through, for example, a database breach) will wait and, over time, attempt to use those credentials again, both in other systems and within the same system again. 

This approach assumes that at least some users will fail to update passwords after a breach and that more users will not change an identical username and password on a different system. 

The following methods can help prevent credential stuffing attacks:

  • Forcing users to change passwords after a breach. A mandatory change can mitigate the threat of old passwords causing a problem.
  • Requiring users to change their passwords at regular intervals and making it so they cannot reuse previous username and password combinations. 
  • Making password managers mandatory if sticking with passwords as a primary security approach. 

Phishing

Phishing has been one of the most prominent forms of cyberattack. It counts on users’ ignorance of modern security threats and their trust in official-seeming emails by spoofing these emails to request user passwords. 

No one is invulnerable to these attacks, and phishing has been the source of some of the most significant cybersecurity events in modern history—massive spear phishing attempts have cost enterprises billions of dollars in stolen funds. 

Phishing itself is a widespread form of attack, with several different forms:

  • Email
  • SMS Texts
  • Video Conferencing Software
  • Voice Calls
  • Spoofed Websites

All of these approaches can use marketing messaging, spoofed email templates, spoofed email addresses, and additional measures to fool users into giving up their passwords. 

The following methods can help prevent phishing attacks:

  • Training team members, from salaried employees to senior executives, on how to recognize phishing attacks when they see them. 
  • Implementing email-based warnings to provide alerts when employees receive emails from outside of the organization. 

Password Spraying

Password spraying tries to attack multiple accounts at once in search of weak passwords. 

A spraying attack will take a handful of common passwords (like a dictionary attack) but rely on regular patterns, like well-known defaults, birthdates, or simple phrases like combinations of numbers and the word “password,” and attempt to brute-force multiple accounts at the same time. 

This “spray approach” will not have the same success rate as a dedicated dictionary attack. Instead, it counts on a numbers game: across hundreds of accounts, at least one of them is using weak password security. 

The strength of this attack is that it only takes one set of stolen credentials to compromise an entire enterprise system. 

The following methods can help prevent password spraying attacks

  • Avoiding common passwords made of readable words, even if you are using combinations of common words. 
  • Creating passwords out of random or seemingly random combinations of letters, numbers, and characters.
  • Requiring users to change their passwords at regular intervals and making it so that they cannot reuse previous username and password combinations. 
  • Making password managers mandatory if sticking with passwords as a primary security approach. 
  • Implementing multi-factor authentication and passwordless solutions can eliminate the effectiveness of brute-force attacks, as they require credentials that these methods cannot replicate. 

Man-in-the-Middle

Man-in-the-middle attacks occur when a hacker gains control of an intermediary system between two parties, such as a user and an authentication platform, and steals information as it moves back and forth between them (including passwords). Unsecure channels of communication can make this information easily readable, and any attacker in the middle can read the information without alerting either party to the threat. 

The following methods can help prevent man-in-the-middle attacks:

  • Encrypting data entering and leaving the organization, and avoiding sending any information, including login credentials, over cleartext.
  • Leveraging virtual private networks for remote users accessing critical systems. 

Prevent Password Attacks with 1Kosmos Passwordless Authentication

Users practice weak password security because it can be difficult to manage hundreds of passwords across all their accounts. Organizations like yours, interested in securing this critical attack vector, would do well by limiting or eliminating how vulnerable your users are to attack. 

Enter 1Kosmos BlockID. Our approach is to provide easy-to-use authentication through mobile apps, including passwordless authentication, decentralized identity management, and strong MFA capabilities. 

1Kosmos brings the following features to your organization:

  • Identity Proofing: BlockID verifies identity anywhere, anytime and on any device with over 99% accuracy.
  • Streamlined User Experience: 1Kosmos provides simple user onboarding and convenient access anywhere, anytime and on any device. The experience can be delivered via the BlockID app or integrated via our SDK into your custom app.
  • Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through credential triangulation and identity verification.
  • Interoperability: BlockID can readily integrate with existing infrastructure through its 50+ out of the box integrations or via API/SDK.

Discover how to maintain password security in your organization: read our whitepaper on how to Secure Your Distributed Workforce and Go Passwordless. Also, sign up for our newsletter to learn the latest on 1Kosmos products and innovations.  

FIDO2 Authentication with 1Kosmos
Read More
Meet the Author

Robert MacDonald

Vice President of Product Marketing

Robert is the Vice President of Product Marketing at 1Kosmos. He is a highly influential senior global marketer with more than 15 years of marketing experience in B2B and B2C software in the biometric authentication space. Prior to 1Kosmos, Rob managed product strategy and vision for the Identity and Access Management portfolio at Micro Focus, leading a team of product marketers to drive sales and support the channel. Earlier in his career he set the foundation for content planning, sales enablement and GTM activities for ForgeRock. He has also held senior marketing positions at Entrust, Dell, Quest and Corel Corporation.