Password Attack Methods

Password Attack Methods

In this article, we explain the password attack methods that the attackers use frequently to compromise individual accounts and gain unauthorized access on systems.

In this article, we explain the password attack methods that the attackers use frequently to compromise individual accounts and gain unauthorized access on systems. We aim to give a summary on common password attack methods so that security practitioners and everyday Internet users can understand attacker techniques and mindset better and protect their systems and user accounts accordingly.


One of the most effective methods that can prevent attackers from gaining unauthorized access on a system or user accounts is implementing a strong password mechanism. However, it is also one of the most targeted security mechanisms by hackers to gain illegitimate access to a system as it often turns out to be simple to conduct attacks and hack successfully.

Once attackers gain access on a system, they can steal or damage private or commercial data, modify any information or system configuration or simply render the system unusable by shredding or encrypting data with ransomware. Further more, upon gaining a foothold on a system, attackers can use techniques to escalate their privileges to get access to more privileged resources or use the compromised system to jump to other systems on the network and compromise more lucrative resources. Thus, it is crucial to understand the types of password attack methods that hackers can use to implement effective security controls accordingly.

Password Attack Methods

In this section, we examine a list of the well-known and common password attack methods that the hackers use. These methods generally fall into three general categories: brute force, malware-based and social engineering attacks.

Brute Force Password Attack Methods

In cryptography, a brute force attack (a.k.a. brute force cracking) is a trial-and-error type attack methodology where hackers try either every or most of the password or passphrase combinations with the hope of successfully breaching user accounts. Brute force attacks can be exercised in a variety of ways, ranging from methods that try every password combination in random or sequentially to more optimized approaches that make use of the most frequently used or previously compromised passwords.

All brute force attacks take advantage of the fact that most user passwords are either weak (short or not complicated enough) or they are reused on different accounts. What follows is an overview of each of these brute force password attack methods. Note that, attackers and most password cracking tools usually employ hybrid methods and make use of the best features of multiple brute force attack methods.

Ordinary Brute Forcing

This method is the simplest and dumpest of all the brute force attack methods. The basic assumption for employing this type of attack is that the targeted password is short and all the possible password combinations can be tried in an acceptable length of time. It exhaustively tries every password or passphrase combination until it finds the correct user credential or runs out of all the possible password combinations.

Usually, inexperienced hackers favor this method as it is very easy to use with quite a number of existing brute forcing tools. However, this method is very costly as it requires a lot of time to try all the password combinations and sometimes it is even infeasible to cover all the possibilities, depending on the length of the targeted password. Moreover, such attacks are usually unsuccessful as they can be easily detected and blocked by the security mechanisms such as firewalls, IDS/IPSs and the access control mechanism itself.

Password Guessing

Password guessing is another basic type of password attack method that leverages on the fact that users tend to pick simple passwords no matter how much security training they are given. In this method, attackers simply attempt to guess a user’s password by trying a list of the most frequently used passwords rather than trying a large list of possible passwords or submitting every password combination. Though simple, this method overcomes lengthy trial time shortcoming of the ordinary brute forcing and proves to be successful on systems where short and simple passwords are allowed.

Password guessing attacks can also be conducted by making educated guesses about users’ passwords. For instance, as users’ possible passwords, attackers can try variations on the usernames (or user’s name and the last name) with a few numbers and frequently used special characters. The following show by Michael McIntyre reveals this bitter truth on how predictable humans are on picking their passwords.

Performance by Michael McIntyre on How Predictable Humans Are in Choosing Passwords

Just to demonstrate how simple and guessable the user passwords are, NordPass also conducted a research in 2020. In their research they identified the most frequently used and breached 200 passwords from a database of about 275 million passwords. Top 10 most common passwords identified by this research is shown in Figure 1.

Figure 1: Top 10 Most Common Passwords in 2020 (NordPass Research)

Finally, some knowledge about a person can provide attackers with extremely useful clues about a user’s passwords. Many people tend to use the names of their spouses, family members, pets, favorite sports teams, birth days etc. The following is another show that confirms this fact.

Jimmy Kimmel Show: What is Your Password?

Dictionary Attacks

Dictionary attacks resemble very much to the password guessing. This attack method tries to exploit a basic factor of human psychology, that is, users often tend to choose common words. Relying on this fact, this method cycles through commonly used dictionary words and variations with numbers and special characters usually at the beginning or the end. It differs from the ordinary brute forcing by trying words most likely to succeed from a dictionary rather than trying every letter combination.

Credential Stuffing

Credential stuffing is another type of brute forcing attack where attackers use previously breached usernames and passwords in combination on other accounts. The attack relies on users’ tendency to reuse the same passwords across multiple sites or accounts. This attack type turns out to be very effective as most users are usually either unaware of the fact that their accounts have been breached or after finding out a password compromise, they forget to change their breached passwords on all accounts that reuse the same password.

To make the matters worse, stolen usernames and passwords can be found on the Dark Web, shared publicly or sold by other hackers. One recent and the biggest password compilation shared online was given the name RockYou2021 after the infamous RockYou breach in 2009. RockYou2021 compilation contains approximately 8.4 billion password entries.

Password Spraying

Password spraying is a type of brute force attacks where hackers attempt to breach a large number of accounts at a time with a single password before moving on to another password trial. The passwords tried on the accounts might be either a list of most frequently used passwords or come from a previously breached credentials list.

This attack method is based on the premise that some users may have weak passwords on their accounts while most of the accounts have strong passwords. Password spraying can be successful on systems where strong password policies are not enforced on all accounts. This attack type is also preferred by attackers to avoid account lockouts that are triggered by policy upon repeated login failures.

Rainbow Table Attack

The previously explained brute force attack methods fall into the category of online password attacks. However, attackers are not only limited to online attacks. They can also conduct offline password attacks on the previously captured password files.

Online Password Attacks

In this method, hackers use the same login mechanisms with the users to breach the user accounts. Online password attacks are extremely slow as each login attempt needs to be sent over the network and be processed by the authentication server. To further slow down attackers, usually account lockout policies are enforced to prevent multiple login attempts in a short period of time. The second limitation is that they are very noisy due to repeated login trials and can be easily flagged by any type of logging and alerting mechanism.

Offline Password Attacks

In this method, hackers attempt to recover account passwords from a password file that has been captured previously. Typically, these files would be /etc/shadow file on Linux and Security Account Manager (SAM) file on Windows. As a good security practice, password files contain only encrypted versions of the passwords so that hackers can’t get a hold of all the clear text passwords in case they capture a password file. This encryption function is known as hashing. To give a brief explanation, hashing is a one way mathematical function which transforms any given length of characters to fixed length values that cannot be recovered back.

Because password files contain only hashed passwords, attackers have to run the same hashing function against a list of probable passwords to see if there is match with the encrypted version of the actual password stored in the password file. However, running a hashing function for each password on the dictionary file still takes significant amount of time in total though it is a lot shorter than the time online password attacks would take.

To overcome this difficulty of lengthy processing time of hashing functions, attackers make use of what is called as rainbow tables. Rainbow tables contain hash values pre-computed with all common hashing algorithms (such as MD5, SHA-128, SHA-256, or SHA-512) for all the possible passwords that the attackers want to try. Having rainbow tables ready at their disposal, all that is left for the attackers is just to compare hashed values of actual passwords against the values in the rainbow table to see if there is a match.

Malware-Based Password Attacks

Since brute forcing turns out to be costly with respect to processing time, most hackers usually resort to brute force password attacks only if they have to when they don’t have any better attack option. As an alternative, experienced attackers can install malware to capture user credentials. For this purpose, hackers usually install a key logger, a variant of spyware, to track all a user’s keystrokes and capture the user credentials.

Note that to install a malware variant, the targeted system either must have been compromised already or the user needs to be convinced into installing a malware, often through a phishing attack. Also note that, since this attack method directly captures users’ passwords as they type their credentials on a keyboard, using strong passwords would not protect against such attacks.

Social Engineering Attacks

As discussed previously, experienced hackers try to avoid brute force attack methods and use more sophisticated technical attacks, such as installing a malware variant to capture user credentials. That being said, as Bruce Schneier quoted, more experienced hackers even avoid any technical attack means altogether and use social engineering to get into user accounts.

Quote by Bruce Schneier
Quote by Bruce Schneier

Amateurs hack systems, professionals hack people.

Bruce Schneier

Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.

In its most basic definition, a social engineering attack is tricking the users to hand over their credentials. In one of its simplest form, hackers can pose themselves as technical support representatives or a similar authority and ask for users’ passwords to solve a technical issue that needs immediate attention. This type of social engineering is called a scam and it uses social conventions of a workplace to fool users. In addition to scams, attackers can send phishing emails that prompt users to log into a fake site upon clicking a link on the email. Once users type in their credentials on the fake sites, attackers simply capture the usernames and the passwords and log into to the actual sites or accounts themselves. With phishing emails, users can also be tricked into clicking on malicious links that would install malware to capture user credentials. Last but not least, using social engineering attacks, hackers can also learn private information about users (such as mother’s maiden name, birthday, name of the pets etc.) to make educated guesses about the users’ passwords.

Social engineering poses a significant threat against access control protection mechanisms as it totally avoids technical measures and users often fall victim of such attacks no matter how much security training they have, depending on the sophistication of the social engineering attack.

Final Remarks

In this article, we discussed the common password attack methods that attackers use to compromise individual accounts and gain unauthorized access on systems. To categorize generally, hackers can use brute force, malware-based and social engineering attacks to gain unauthorized access on user accounts. Though each of these methods can be exercised separately, expert level hackers mostly use hybrid methods and make use of the best features of all these attack methods.

Quote by John David McAfee
Quote by John David McAfee

A hacker is someone who uses a combination of high-tech cyber tools and social engineering to gain illicit access to someone else’s data.

John David McAfee

Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.