The Different Types of Password Attacks: An Overview

Credential attacks have become the main focus of cybersecurity teams and attackers alike. Microsoft has found that the volume of password attacks doubled in the 12 months leading up to May 2022, while Verizon’s authoritative Data Breach Investigations Report found compromised credentials to be responsible for half of all data breaches and for more than 80% of web application attacks. They also are one of the top data types stolen — their widespread use and potential to do further harm makes them a primary target for attackers. 

The types of password attacks that hackers use to compromise users’ passwords vary greatly and broadly fall under two categories: guessing and stealing. In this  article, we go through the most common types of password attacks in each category to help you identify and protect your organization against them. 

Types of Password Attacks: Guessing

The standard modus operandi for these types of password attacks is usually based on the attacker already having personal information, such as an email address or other login, which they then leverage for multiple login attempts. These include:

Dictionary Attacks: Here, a hacker runs through all the possible passwords from a predefined dictionary of terms. This list usually includes passwords taken from security breaches leaked online, common passwords and terms, as well as typical variations, such as capitalized first letters, numbers and symbols.

Credential Stuffing: Billions of username and password pairs from previous data breaches are available for purchase on the dark web. Attackers can write rudimentary scripts that will cycle through all of these known pairings for various websites. The attack is a numbers game, with any account access found then used to elevate attacks. These types of password attacks succeed because of how often people reuse the same password across multiple accounts.

Brute Force: This is really a general term for any type of attack that tries multiple combinations of a password for an account, often using automated tools and additional data points that the attacker has, such as minimum password length or the requirement that it includes certain characters. More sophisticated brute-forcing applies a type of cryptanalytic attack, such as leveraging a SQL injection to get hashed passwords. A powerful computer will then try all possible combinations of letters, numbers and characters to discover what the hashed password was. The longer and more complicated the password, the longer this kind of brute force attack will take.

Password Spraying: This is a brute force attack that does the opposite of a dictionary attack in that it keeps the password as a constant and tries multiple different usernames to see if there’s a match. This is primarily targeted at circumventing security measures where login is locked after several unsuccessful attempts. The passwords used in these types of attacks come from common lists of the most popular ones used across the world.

Types of Password Attacks: Theft

With this category of attacks, bad actors attempt to use various means to either intercept, record or otherwise steal a user’s password. These types of password attacks include:

Phishing: This is among the most popular and effective of all types of password attacks, with several different varieties on the theme. The basic premise is that users receive a trustworthy-seeming email or SMS with a login link. However, this link redirects to either a fake login page or a real login page directed through an attacker’s proxy server. When the user enters their details, they are stolen by the attacker. Using a simultaneous login, this method can also be used to steal one-time passwords (OTPs) sent to SMS as part of a multi-factor authentication process.

Man-in-the-Middle (MitM): With these types of password attacks, which also include Man-in-The-Browser attacks, an attacker attempts to intercept information as it is in transit between two parties. This action can sometimes eavesdrop on unencrypted usernames, passwords or other personal details. However, even intercepted encrypted data can still be used to narrow the focus and thus reduce the time required for brute-forcing a password.

Keylogger: Keystroke logging, or keylogging, is where an attacker manages to upload malware onto a user’s device that records their keystrokes. This data is then exfiltrated to the attacker where, especially when combined with a screen recorder, they can easily discover the credential pairing for an account.

SIM-Swapping: With this type of password attack, the attacker leverages personal information gathered about the victim from elsewhere. They use this information to convince their cell company to switch the phone number to a SIM card they control, usually by claiming the phone was lost or stolen. This means that attackers can use OTPs or account recovery information sent to that phone number to take over the victim’s accounts. This is a surprisingly effective attack, and the FBI has reported over $60 million being stolen in recent targeted attacks, especially on cryptocurrency holders.

Eliminate the Risk by Eliminating Passwords

Passwords and other user credentials are increasingly the focus of attacks and the leading cause of data breaches. There are several different types of password attacks that bad actors use to take over user accounts and commit fraud or escalate their attack. While organizations may deploy counter-measures, the only absolute way to be sure of preventing password attacks is by eliminating passwords and other shared secrets from the authentication process.

HYPR’s True Passwordless multi-factor authentication (PMFA) system delivers the highest level of security assurance around authentication protocols while also providing a seamless user experience. Only the complete removal of passwords from the login and authentication processes can ensure your organization is immune to password attacks, which comprise the vast majority of all security threats.

To learn more about passwordless authentication, download our Passwordless Security 101 Guide.

Interested in seeing how HYPR’s Passwordless MFA solution works? Talk to our team about arranging a free demo.

New call-to-action