Cyber Attacks Explained – Password attacks

How cybercriminals target passwords and accounts

Introduction

Despite the rise in the use of biometrics, passkeys, and multi-factor authentication (MFA) – passwords remain one of the most widely used methods of securing digital accounts. From email and banking, to social media and corporate systems, passwords continue to serve as the first line of defence for billions of users worldwide.

Unfortunately, passwords are also one of the most frequently targeted elements in cyber attacks.

Cybercriminals understand that compromising a user’s password can provide access to sensitive information, financial accounts, business systems, and even entire networks. As a result, attackers have developed numerous techniques to steal, guess, crack, or bypass passwords.

What is a password attack?

A password attack is any attempt to obtain, guess, crack, steal, or misuse a password in order to gain unauthorised access to a system, application, account, or network.

The attacker’s goal may be to:

  • Access sensitive information
  • Steal money
  • Commit fraud
  • Install malware
  • Escalate privileges
  • Move through a corporate network
  • Conduct espionage

Password attacks can target:

  • Individual users
  • Employees
  • Administrators
  • Service accounts
  • Entire organisations

Some attacks rely on technical methods, while others exploit human behaviour.

Why passwords are attractive targets

Passwords are often considered the “keys” to digital systems.

If an attacker obtains a password, they may gain access to:

  • Email accounts
  • Banking systems
  • Cloud services
  • Business applications
  • Corporate networks
  • Customer databases

Gaining access to an email account will, in most cases allow attackers to compromise all other accounts owned by the victim.

If a user forgets a password to an account and clicks the “forgot password” link – where does that message go? – To the users email account – which is now under the control of the attacker.

As such, attackers, once they have access to an email account, scan it for evidence of other linked accounts (loyalty cards, banks, shopping sites, investment systems, and more) and then systematically target those sites for their password reset options – locking the victim out of each, and every one of them.

Unlike many technical vulnerabilities, password attacks often exploit predictable human habits.

Despite years of education, many users still:

  • Choose weak passwords
  • Reuse passwords across multiple sites
  • Share passwords
  • Store passwords insecurely
  • Fall victim to phishing attacks

These behaviours create opportunities for attackers.

Understanding Authentication

Authentication is the process of verifying identity. Traditionally, authentication relies on one or more factors:

Something You Know

Examples:

  • Passwords
  • PINs
  • Security questions

Something You Have

Examples:

  • Smartphones
  • Hardware tokens
  • Smart cards

Something You Are

Examples:

  • Fingerprints
  • Facial recognition
  • Iris scans

Password attacks primarily target the first category: something you know.

Common types of password attacks

Cybercriminals use numerous techniques to compromise passwords – The most common methods are:

Brute force attacks

A brute force attack involves systematically trying many password combinations until the correct one is found. Just like trying every possible key on a keyring until one opens the door.

The same principle applies to passwords.

A brute force tool may attempt password1, password2, password3, password4, etc. until access is gained.

Modern computers can perform thousands of password guesses per second.

This is why passwords should be long and complex as this increases the time required to try every possible permutation. The problem here though is that most people don’t like having to remember complex, lengthy passwords, so revert to short, memorable passwords – typically ones found in the dictionary

Dictionary attacks

A dictionary attack is a more efficient version of brute forcing.

Instead of trying every possible combination, attackers use lists of commonly used passwords.

Examples include Password123, Welcome123, Summer2026, Football123, etc.

Dictionary attack lists often contain millions of passwords collected from previous data breaches

Because many users choose predictable passwords, dictionary attacks can be highly effective and quick to get success.

Hybrid attacks

Hybrid attacks combine dictionary attacks with additional modifications.

For example:

A starting password could be something like “football”

The attack tool may then generate hundreds of permutations of this, such as football1, football123 Football123, football202,6, etc.

This approach mirrors how many users create passwords.

This sort of attack can be extremely efficient if the attacker knows a little bit about the victim – i.e. children, or spouse names, pet names, what school they attended, what their favourite football team is, etc.

Credential stuffing

Credential stuffing is one of the most common modern password attacks which relies on password reuse.

The attack works as follows:

  1. Attackers obtain credentials from a data breach.
  2. They test the credentials on other websites.
  3. Accounts using the same password become compromised.

So for example, a user has the following credentials:

Email: user@example.com
Password: MyPassword123

If the password is reused across different services, a breach at one site can compromise all accounts which use the same credentials

Credential stuffing succeeds because password reuse remains widespread, as people don’t like having to remember multiple credentials for multiple services.

Password spraying

Password spraying is the opposite of traditional brute forcing.

Instead of trying many passwords against one account, attackers try a small number of common passwords against many accounts.

The attacker tests these passwords across hundreds or thousands of accounts.

This approach helps avoid account lockouts while exploiting weak password choices.

Phishing-based password attacks

Not all password attacks involve guessing – Sometimes attackers simply trick users into revealing passwords via a phishing attack

A phishing attack may:

  • Impersonate a bank
  • Mimic a Microsoft login page
  • Pretend to be a cloud service

The victim enters their credentials into a fake login page, which sends the information directly to the attacker.

Phishing remains one of the most effective methods of password theft.

Keylogging attacks

A keylogger is an application, or piece of hardware which records keyboard activity. Every key pressed by the user is captured.

The attacker receives both the username and the password without needing to crack anything.

Keyloggers may be delivered through:

  • Malware
  • Malicious downloads
  • Infected email attachments

Shoulder surfing

Shoulder surfing is a surprisingly simple attack as all it entails is the ability to watch someone enter their data

This may occur:

  • In offices
  • At airports
  • In coffee shops
  • On public transport

Although a very low-tech approach, shoulder surfing remains very effective.

Social engineering attacks

Social engineering involves manipulating people into revealing information.

Examples include:

  • Pretending to be IT support
  • Impersonating a manager
  • Claiming an account needs verification

The attacker persuades the victim to disclose their password voluntarily – No technical exploitation is required.

Password hash attacks

Organisations generally do not store passwords in plain text – Instead, they store hash digests of the password

A hash digest is a mathematical representation of a password.

For example, Password123, might become 482c811da5d5b4bc6d497ffa98491e38 when run through the hashing algorithm

When a user logs in to a system, the password is hashed and the hash is then transmitted to the service which compares the transmitted hash against the stored value. If they match, the account is unlocked, if they do not match the account stays locked.

If attackers obtain passwords hashs during a breach, they may attempt to crack them.

Online password cracking

Many of the attacks outlined above are classed as online in that the attack takes place against the very system that uses the password

Online attacks are risky as there are systems in place which will detect and protect account attacks. Many work on a lock-out approach, so that if a number of unsuccessful attempts to access an account are detected in a short timespan, the affected account is locked for a period of time – this prevents brute-force attacks and password spraying attempts.

Offline password cracking

Offline cracking occurs when attackers possess password hashes from a target system and transfer them to another system.

Unlike online attacks, they can make unlimited guesses without interacting with the target system.

Attackers use specialised hardware such as GPUs to test vast numbers of passwords against the hashes. Weak passwords may be cracked within seconds. Strong passwords may remain resistant for years.

Rainbow table attacks

A rainbow table is a precomputed database of every possible password hash from a given hashing algorithm and dictionary, but rather than storing every possible hash, the hashes are grouped together in chains, and the chain is then hashed.

This reduces the overall table of potentially millions of hashes down to a few thousand

Instead of comparing obtained hashes against these millions of possible options, the hash is compared with the reduced number of hash chains until the chain with the hash if found, then that chain is uncompressed so that the individual hash can be located

To reduce the effectiveness of rainbow table attacks, modern systems reduce this risk through a technique called salting.

A salt is a random amount of data that is combined with the password before it is hashed, thus making rainbow tables useless as they would never contain every possible hash and every possible salt

Pass-the-hash attacks

In some environments, particularly enterprise networks, attackers may not need to know the actual password.

Instead, they use stolen authentication hashes directly in what is known as a pass-the-hash attack.

If successful, attackers can authenticate to services without ever recovering the original password. So long as they have the hash, they can present it to the target system and it will allow them to authenticate

This is often seen during advanced network intrusions.

Multi-Factor Authentication (MFA) attacks

As organisations increasingly adopt MFA, attackers have developed techniques to bypass it.

Examples include:

MFA fatigue attacks

Many corporate networks use Multi-Factor Authentication systems such as Cisco Duo for users to authenticate with. In attacks against these systems, attackers spoof Duo notifications causing the victim to receive repeated authentication requests. Eventually, they approve one of them out of frustration in order to stop further requests

Real-time phishing

In these attacks, the attacker captures the Username, Password, and MFA code and immediately uses them before the code expires.

Session Hijacking

In this sort of attack, the attacker steals an authenticated session token, thus avoiding the need for the password entirely.

Why weak passwords are dangerous

Weak passwords dramatically increase the success rate of password attacks. These weak passwords appear in password-cracking dictionaries and breach databases with regular frequency

Attackers test them regularly because they continue to work surprisingly often.

How organisations defend against password attacks

Modern organisations use multiple security controls.

Multi-Factor Authentication

MFA significantly reduces the impact of stolen passwords.

Even if a password is compromised, an additional authentication factor is required.

Account Lockout Policies

Repeated failed login attempts trigger temporary account lockouts.

This helps mitigate brute force attacks.

Password Complexity Requirements

Organisations may require:

  • Minimum lengths
  • Special characters
  • Password uniqueness

Password Hashing and Salting

Strong hashing algorithms protect stored credentials.

Salting prevents rainbow table attacks.

Monitoring and Detection

Security systems monitor for:

  • Failed login attempts
  • Credential stuffing activity
  • Unusual authentication behaviour

Password Managers

Password managers help users generate and store strong, unique passwords.

How Individuals Can Protect Themselves

Good password security dramatically reduces risk.

  • If possible switch to passkeys – Passkeys are much safer than passwords – Read my related posts:
    Time to Ditch the password, Google passkeys now the default, the future of (no) passwords
  • Use long passwords – Longer passwords are generally harder to crack.
  • Use unique passwords – Never reuse passwords across multiple accounts.
  • Enable MFA – Multi-factor authentication provides an important additional layer of security.
  • Use a password manager – Password managers generate and securely store complex passwords.
  • Stay alert for phishing – Always verify login pages and suspicious requests.
  • Monitor accounts – Watch for unusual login activity and security alerts.

The future of password security

The cybersecurity industry is increasingly moving toward password-less authentication methods such as Passkeys, Biometrics, and Hardware security keys

These technologies reduce many of the risks associated with traditional passwords. However, passwords are unlikely to disappear overnight.

For the foreseeable future, understanding password attacks remains a critical cyber security skill and good password hygiene is key to keeping accounts safe

Conclusion

Password attacks are among the most common techniques used by cybercriminals because passwords continue to protect access to many of our most valuable digital assets. Attackers use a variety of methods, including brute force attacks, dictionary attacks, credential stuffing, phishing, keylogging, social engineering, and password hash cracking to gain unauthorised access to accounts and systems.

While attackers continue to develop new techniques, many successful password attacks still rely on weak passwords, password reuse, and human error. By understanding how these attacks work and implementing strong security practices such as unique passwords, password managers, and multi-factor authentication, individuals and organisations can significantly reduce their risk of compromise.

In cybersecurity, a password is often the first line of defence—and protecting it remains one of the most important responsibilities for every user.