What type of password attack uses a list of known passwords to guess your password?

1. Random Guesses

Usernames are the portion of credentials that do not change, and are also highly predictable, regularly taking the form of first initial plus surname. Usernames are commonly an email address, something widely communicated. An attacker now has half the details needed to log into many of your systems. All that’s missing is the password.

A random password guess rarely succeeds unless it’s a common password, or based on a dictionary word. Knowing information about the target identity enhances the likelihood of a successful guess by a threat actor. This information is gathered from social media, direct interaction, deceptive conversation, or even data aggregated from prior breaches.

The most common variants for passwords susceptible to guessing include these common schemas:

• The word “password” or basic derivations like “passw0rd”
• Derivations of the account owner’s username, including initials. This may include subtle variations, such as numbers and special characters.
• Reformatted or explicit birthdays for the user or their relatives, most commonly, offspring
• Memorable places or events
• Relatives’ names and derivations with numbers or special characters, when presented together
• Pets, colors, foods, or other important items to the individual

While automated password cracking tools are not necessary for password guessing attacks, they will improve the success rate.

Password guessing attacks tend to leave evidence in event logs and result in auto-locking of an account after “n” attempts. When account holders reuse passwords across multiple resources with poor password hygiene practices, then the risks of password guessing and lateral movement dramatically increase.

2. Dictionary Attacks

Dictionary attacks are an automated technique utilizing a list of passwords against a valid account to reveal the password. The list itself is a dictionary of words. Basic password crackers use lists of common single words like “baseball” to crack a password, hack an account, and reveal the complete credential.

If the threat actor knows the password length and complexity requirements of the target account, the dictionary is customized to the target. Advanced password crackers often use a dictionary and mix in numbers and symbols to mimic a real-world password with complexity requirements.

An effective dictionary attack tool lets a threat actor:

• Set complexity requirements for length, character requirements, and character set
• Manually add words and combinations of words/names
• Target common misspellings of frequently used words
• Operate in multiple languages

A weakness of dictionary attacks is that they rely on real words and derivations supplied by the user of the default dictionary. If the real password is fictitious, uses multiple languages, or uses more than one word or phrase, it should thwart a dictionary attack.

The most common method to mitigate the threat of a dictionary attack is account lockout attempts. After “n” times of wrong attempts, a user’s account is automatically locked for a period of time. It must be manually unlocked by an authority, like the help desk or via an automated password reset solution. However, the lockout setting is sometimes disabled. Thus, if logon failures aren't monitored in event logs, a dictionary attack is an effective attack vector for a threat actor.

3. Brute Force

Brute force password attacks utilize a programmatic method to try all possible combinations for a password. This method is efficient for passwords that are short in string (character) length and complexity. This can become infeasible, even for the fastest modern systems, with a password of eight characters or more.

If a password only has alphabetical characters, including capital letters or lowercase, odds are it would take 8,031,810,176 guesses to crack. This assumes the threat attacker knows the password length and complexity requirements. Other factors include numbers, case sensitivity, and special characters in the localized language.

With the proper parameters dialed in, a brute force attack will always find the password, eventually. The computing power required and length of time it takes often renders brute force tests a moot by the time it has completed. The time it takes to perform attacks is determined by the time it takes to generate all possible password permutations. Then, the response time of the target system is factored in.

Brute force password attacks tend to be the least efficient method for hacking a password. Thus, threat actors use them as a last resort.

4. Credential Stuffing

Credential stuffing is an automated hacking technique that utilizes stolen credentials. These credentials are comprised of lists of usernames, email addresses, and passwords. The technique generally leverages automation to submit login requests directed against an application and to capture successful login attempts for future exploitation.

Credential stuffing attacks do not attempt to brute force or guess any passwords. The threat actor automates authentication based on previously discovered credentials using customized tools. This approach can entail launching millions of attempts to determine where a user potentially reused their credentials on another website or application.

Credential stuffing attacks prey on password reuse and are only effective because so many users reuse the same credential combinations across multiple sites.

5. Password Spraying

Password spraying is a credential-based attack that attempts to access many accounts by using a few common passwords. Conceptually, this is the opposite of a brute force password attack. Brute force attempts to gain authorized access to a single account by repeatedly pumping large quantities of password combinations.

During a password spray attack, the threat actor attempts a single, commonly used password (such as “12345678” or “Passw0rd”) against many accounts before proceeding to attempt a second password.

The threat actor tries every user account in their list with the same password before resetting the list and trying the next password. This technique minimizes the risk of the threat actor's detection and lockouts on a single account due to the time between attempts.

With poor password hygiene by any one user or on any single account, the threat actor will likely succeed in infiltrating the resource.

An unfortunate truth is that signing up for online accounts is a tad easier when you can use a username and password you know you’ll be able to remember — we’re creatures of habit, after all. However, in the digital age, reusing the same login credentials can make you vulnerable to a password attack. These kinds of cyberattacks compromise and exploit your personal information by decoding the passwords used to keep people out.

Thankfully, there are several measures you can take to build your defenses against password crackers, beginning with diving into this comprehensive guide to the types of password attacks. You can explore the different ways people avoid them, in addition to some password theft prevention tips you can use to boost your Cyber Safety.  

10 types of password attacks + how to avoid them 

By taking the time to understand the different types of password attacks and learning how to avoid them, you can show password hackers you’re playing chess while they fool around with checkers.

1. Brute force attack 

A brute force password attack is essentially a guessing game where the hacker tries different password combinations using hacking software until they’re able to crack the code. These hackers hope that their victims either reused a password that’s already compromised or used a generic phrase, such as “12345.” 

How to avoid: Create unique passwords for every online account.

2. Credential stuffing  

Credential stuffing is a brute force attack that uses stolen credentials to break into your online accounts and profiles. Aside from using spyware and other kinds of malware to get the credentials they want, the dark web often has lists of compromised passwords for cybercriminals to use for their devious plans. Hackers may use these lists to carry out their credential stuffing schemes and exploit your data.

How to avoid: Enable two-factor authentication on your online accounts when possible.

3. Social engineering 

Cyberthieves have a variety of skills — one of which is creating believable websites. Password hackers create what people know as social engineering websites that they design to seem like legitimate login pages. These cybercriminals send you to a fake login field that won’t give you access to your account. It only records the information you type in, giving the cybercriminal exactly what they want.

How to avoid: Never click on suspicious links or attachments.

4. Dictionary attack 

Another sibling of the brute force attack family is the dictionary attack. These cyberattacks play on our habit of using single-word phrases as our passwords. The hacker may use automated password-guessing software to try every word in the dictionary as your password to see if they have any luck.

More advanced dictionary attack hackers develop a list of keywords specific to your life, such as birthdates, sibling/pet names, and/or previous street names. 

How to avoid: Create complex passwords that include a variation of numbers, letters, and symbols.

5. Keylogger attack 

A keylogger is spyware used to track and record what you type on your keyboard. Despite being legal to use, depending on the reasoning, hackers take advantage of this software by intentionally infecting vulnerable devices and recording private information without their knowledge.

How to avoid: Install reliable antivirus software onto your device.

6. Password spray attack 

Password spraying is when a hacker uses a large number of stolen passwords — sometimes in the millions — on a small number of online accounts to see if they can gain access. Hackers use advanced automated password-guessing software that can limit the number of attempts that it tries on an account. This lets them avoid triggering security alerts and continue trying under the radar. 

How to avoid: Make a routine of changing your passwords every couple of months.

7. Phishing 

Password phishing attacks often come in the form of an email or text message bringing your attention to some kind of urgent matter. The hacker may pair these messages with a link to a strategically designed social engineering website created to trick you into logging into your profile. These websites will record the credentials you type in, giving the attacker direct access to your actual account.

How to avoid: Double check the URLs before logging into accounts.

8. Man-in-the-middle attack 

A man-in-the-middle attack uses phishing messages to pose as a legitimate businesses to complete the following  goals:

• Use malicious attachments to install spyware and record the passwords
• Embed links to social engineering websites to get people to compromise their own credentials  

How to avoid: Double-check the sender’s email address on suspiciousemail messages.

9. Traffic interception 

Traffic interception is a man-in-the-middle attack. This is when password crackers eavesdrop on network activity to capture passwords and other types of sensitive information. There are a number of ways cybercriminals do this, one of which is by monitoring unsecure Wi-Fi connections. But they could also use a tactic called SSL hijacking — when the cybercriminal intercepts a connection between a target and the legitimate site they’re on and records any information shared between the two.

How to avoid: Avoid public Wi-Fi and install a VPN.

10. Shoulder surfing 

Being aware of your physical surroundings is just as important as watching for suspicious activity online. One way that hackers get their hands on passwords is by looking over people’s shoulders in public as they type. People are often too focused on putting in their password to check for nosey neighbors looking their way.

How to avoid: Enable biometric features like facial recognition to sign into accounts on mobile devices.

How to prevent password attacks

 
When it comes to hackers and their password attacks, you have a lot more power than you think. Take a look at all the things you can do to keep password attacks and the potential dangers they present at bay.

Create complex passwords 

This may seem obvious, but creating strong, reliable passwords is essential to protect your data. Reusing passwords or creating basic phrases could make you susceptible to cyberattacks, such as password spraying, credential stuffing, and more. 

Change passwords routinely 

Making a routine of changing your passwords can help keep password crackers guessing. For accounts holding medical and/or financial details, try switching things up every two or three months. Other than that, six months to a year is a good timetable. Even if a cybercriminal is able to get close to cracking your password, they’ll have to start over once you change it.

Use multi-factor authentication

Multi-factor authentication, aka two-factor authentication, presents the opportunity to add another layer of protection to help keep your data safe. It can range from a unique code sent via email or text to predetermined security questions that only you know the answer to.

Enable biometric authentication 

Biometric security features are an excellent tool for those looking to protect themselves from cybercriminals. As another form of multi-factor authentication, facial recognition and fingerprint technology help ensure that only you will see the account information in need of protection.

Consider a password manager 

Password managers are great for people looking to add a little organization to their Cyber Safety. Aside from being able to save all the passwords you create, it can also give password recommendations if you are creating a new account.

Download antivirus software 

Antivirus software can help if a password hacker ever tries to install malicious spyware or keyloggers onto your device. If the security software detects a threat, it can diagnose and attempt to remove the virus.

Now that you know the types of password attacks and how to avoid them, the next step in your cybersecurity journey may be learning how to create a hack-proof password on your own. Regardless, with these skills at your disposal, your passwords could potentially help protect against any password attack that comes your way.