Types of Password Attacks

Some of the most common types of password attacks include password cracking, password spraying, dictionary attacks, credential stuffing, brute force and rainbow table attacks. The better your password habits are, the less susceptible you are to password attacks. Keeper’s Password Management Report found that only 25% of respondents use strong, unique passwords for every account – meaning that 75% of respondents place their accounts at risk of being compromised due to weak passwords. 

Continue reading to learn about the six most common types of password attacks, why they’re dangerous and what you can do to protect yourself against password-related attacks. 

Password cracking

Password cracking is when cybercriminals use programs and tools to gain unauthorized access to online accounts. While there are several types of password-cracking techniques, they all have the common goal of compromising user accounts for malicious purposes. As Artificial Intelligence (AI) has become more advanced, cybercriminals are using AI to their advantage because AI tools make it easier to crack passwords. With AI, the speed at which cybercriminals can crack passwords has increased significantly. 

Brute force attack

A brute force attack is when cybercriminals use software in an attempt to guess login credentials through trial and error. Brute force software works by inputting several different combinations of credentials until it’s able to find a match. While it may sound inefficient to attempt to guess passwords through trial and error, the software that cybercriminals use can process trillions of password combinations in a short amount of time. 

Password spraying

Password spraying, also called a password spray attack, is when cybercriminals use a list of commonly used passwords to attempt to gain access to several accounts on one domain. These lists contain weak passwords that many people use such as 123456 or password. With a password-spraying tool, cybercriminals can input these lists and use the tool to crack several passwords at once. 

Dictionary attack

A dictionary attack is a password attack that uses common dictionary words and phrases to compromise accounts. In a dictionary attack, cybercriminals use a wordlist that contains commonly used words and phrases for passwords. They then use a password-cracking program to input the word combinations into different user accounts in an attempt to crack passwords. 

Credential stuffing

Credential stuffing is a password attack that exploits the fact that many people reuse passwords across multiple accounts. In a credential-stuffing attack, cybercriminals use a set of credentials to attempt to compromise multiple accounts at once. Oftentimes, cybercriminals use credentials leaked in public data breaches. 

Rainbow table attack

A rainbow table attack is when cybercriminals use a special table in an attempt to crack password hashes. Password hashes are when passwords are changed into a string of unreadable characters. If a company you have an account with encrypts user passwords, that means they only store the password hashes. This is so cybercriminals aren’t able to know what your account password is if that company were to suffer a data breach. 

However, hashed passwords are still vulnerable to rainbow table attacks. In a rainbow table attack, cybercriminals gather a list of potential passwords that usually consist of commonly used password combinations. They then use a hash function to turn each of those passwords into password hashes – both the plaintext password and password hashes are then stored in the rainbow table. The password hashes are then reduced further to create a chain of hashes that are then used to try to find a match. When a corresponding hash value is found, the cybercriminal knows which password to use to compromise a user’s online account. 

Why Password Attacks Are Dangerous

Password attacks are dangerous because they can lead to account compromise or account takeover, which can result in having your identity stolen and suffering financial losses. Account takeover is when an unauthorized individual gains access to one or more of your online accounts and locks you out by changing your password. Because your password was changed, it can take a while for you to regain access to your account, or, in some cases, you may not be able to regain access to your account at all. 

During the time an unauthorized individual has access to your account, they can gather sensitive information about you and use that information to steal your identity. Identity theft can be difficult to recover from and result in severe financial losses.

How Can I Protect Myself Against Password Attacks?

Here are a few ways you can protect yourself against password attacks. 

Use passkeys if supported on the website or app

Passkeys are a new authentication technology that allows you to log in to your online accounts without having to enter a password. Rather than having to create a password yourself, passkeys automatically generate on your device, browser or password manager when you create them. With passkeys, you never have to worry about them being weak or reused like you do with traditional passwords. Passkeys are made strong by default and can’t be easily compromised like passwords, making them one of the most secure ways to authenticate who you are when logging in to an account. 

Passkeys are still new, so only certain websites and applications support them at the moment. Instead of using passwords, which are susceptible to password attacks, opt to use passkeys on any website or application you have an account with that supports the use of them. You can see which websites and applications currently support the use of passkeys in our Passkeys Directory. 

Use strong, unique passwords

Not all websites support passkeys, so you’ll still need to create strong passwords for most of your online accounts. When creating passwords, ensure they follow password best practices to ensure they can’t be easily guessed or cracked. We recommend using a password generator when creating your passwords so they are always strong and unique.

If you’re worried about how you’re going to remember multiple strong, unique passwords, consider using a password manager. Password managers aid users in generating strong passwords for each of their online accounts and securely storing them alongside other authentication methods like passkeys and multi-factor authentication codes. The only password you’ll have to remember is your master password.

Enable MFA whenever it’s an option

Multi-Factor Authentication (MFA) is a security measure that you can enable on most of your online accounts. With MFA enabled, apart from entering your username and password, you would also have to provide one or more additional authentication factors to log in to an account. Even if a cybercriminal was able to crack your password, they would still be unable to compromise your online accounts because they wouldn’t be able to authenticate your identity. 

Be cautious of social engineering attacks

Social engineering is when cybercriminals use psychological manipulation to get victims to reveal sensitive information. One of the most common types of social engineering attacks is phishing. Phishing is when cybercriminals get victims to reveal sensitive information by pretending to be someone the victim knows such as a company they have an account with or a family member. 

Social engineering attacks commonly try to get victims to reveal their login credentials for their online accounts. If you’re not cautious of social engineering attacks, you could easily give up your login credentials and risk account compromise. One of the best ways to avoid social engineering attacks is to never give out your personal information to just anyone, especially the logins to your online accounts. You should also avoid clicking on any links you’re sent unsolicitedly to prevent yourself from downloading malware or inputting your login credentials or other sensitive information into a phishing website.

Don’t Let Password Attacks Lead To Compromised Accounts

With so many online accounts, it can become overwhelming to create strong, unique passwords for each account, while also enabling MFA whenever it’s an option. Making sure each of your online accounts is secure doesn’t have to be difficult – a password manager like Keeper® can help keep your accounts safe from common password attacks. 

With Keeper, you can manage your passkeys, passwords and even 2FA codes, so you can protect your online accounts without having to worry about weak or reused passwords. Start a free 30-day trial of Keeper today to prevent your accounts from becoming compromised due to password attacks.