Password Attacks

5 Types of Password Attacks and how you can prevent them

If you think about why password attacks and breaches are so common, the answer to that is simple – people use passwords that are not strong enough or those that can be easily hacked through trial and error. During times like these, the best thing to do is keep our passwords strong. Cybercriminals are clever enough to realize that if they have hacked one of your passwords, they can try the same cracked password in the other accounts that you may or may not have.

The important thing here is to improve your password security so that it puts up additional barriers for the potential hacker to overcome.


Here are 5 types of Password Attacks and how you can prevent them:

Man-in-the-middle Attacks, Brute force Attack, Dictionary Attack, Credential Stuffing, Phishing and Keyloggers. Now let’s dive into each of these in detail.


Man-in-the-Middle Attacks

Imagine you are at a restaurant with someone (probably on a date or on a business meeting). The conversation is going great, the ambience is amazing; everything is just fine except this one thing. The waiter keeps interrupting you every now and then. Probably eavesdropping or maybe just there to ruin your time. That waiter is a “Man-in-the-Middle”. Someone who is uncalled for and not needed.

Or just imagine, you are there at the restaurant to meet Person A and you meet and have a proper conversation only to realize somewhere in between that the person you are talking to is faking it. It is not Person A but rather Person B. Terrifying scenario, right?

Man-in-the-Middle Password Attacks are just the same.

Three people are involved in this type of attack. The cyberattacker, the initiator (sender) and the receiver (recipient).

In this type of password attack, you’d find the cyberattacker impersonating either the sender or the receiver, most probably through an email. The look and feel of the email would be authentic and there’ll be some minor differences that will be hard to catch.


Here’s how you can steer safe from or prevent Man-in-the-middle attacks:

VPN: A private network/tunnel, where confidential information is passed through the encrypted tunnel and man-in-the-middle attacks are very rare in this case. However, the VPN that you subscribed to should be a trusted entity. Don’t just go for any VPN provider.

Encryption: If your router is not encrypted and locked, anyone who connects to your network can have access to the data that is passing through the users connected to the network. Use a strong password on your router/modem.

Extra Security: Enable 2FA or MFA on your home Wi-Fi or router.


Brute-force Attack

As the name suggests – a hit-and-miss, trial-and-error of passwords. Usually, an automated approach where a permutation and combination of various passwords is tried one after the other on a system.

At least some accounts could be hacked through this method if not all.


Types of Brute Force Attacks

Apart from the general type of Brute Force Attack (which is random guesswork), there are other advanced types such as:

  • Dictionary Attacks:
    A type of brute force attack where every word in a dictionary is typed out as a possible password. It is also used to decrypt encrypted information.
  • Hybrid Brute-force:
    An analysis on which combinations would work
  • Rainbow Table Attacks:
    Passwords typed are stored in hash – this attack targets those. The table is used to guess functions up to a certain length.


All these brute-force password attacks use automation and bots to crack passwords since multiple attempts are made.


Credential Stuffing

These often have a logic behind them. How credential stuffing works is:

  • Automation methods or bots are set up and it starts cracking into systems faking its IP address by trying different password combinations. There may or may not be multiple bots at work at once.
  • Once this is done the password that has been cracked is tried across multiple websites to see if it has been used somewhere else or not.
  • Once cracked, the password is then saved to be used for future use.

Since the method is quite intelligent, you need to have better preventive measures to tackle this:

  • Using Captcha:
    Remember how you try to access a certain part of a website or somewhere that requires form filling, you are prompted to solve a simple puzzle, or type the alphanumeric that is displayed on the screen. Bots are not always that intelligent hence it becomes difficult for them to crack this stage.
  • Block IPs:
    If you see someone trying to access using the same few IP Addresses, you can prevent that by blocking the IPs. But there is no guarantee to this as the cyber attacker may have multiple such IPs in hand or even if a few are blocked, it may be easy for him to fake his IP address again and try.
  • MFA:
    Enabling multi-factor authentication leads to one more layer of added security. Most probably you will get a code on your email ID or a notification on your mobile device.



A Social Engineering attack. This type of attack is meant to steal user data such as credit or debit card details. Quite similar to a man-in-the-middle attack, the cyber attacker impersonates themselves as a trusted entity and fools the target into opening an email or a link in a message which is meant to steal data.

Here is how you can prevent phishing attacks:

  • If something sounds too good to be true or if the sender is unknown, you have to do a thorough verification of their email ID.
  • Look for spelling mistakes in the domain name within the email ID.

There are different types of Phishing password attacks such as:


  • Smishing:
    The name is coined from 2 words: SMS + Phishing= Smishing. Nasty attack and a type of phishing where the attacker masks himself to be a prestigious, trustworthy institution like a bank with the aim of asking for confidential information. Usually, through that one SMS, the user is asked to reply back with details on that number or by asking to click a link within the SMS.


  • Spear Phishing:
    When an email seeks unauthorized access to sensitive information. This type of attack is not usually sent by a mere hacker but somebody who could be known and just wants to retrieve some financial or confidential information. These also appear to come from a trusted source.


  • Whaling:
    Whale = The Giant fish. You receive an email from someone who seems like your boss, with very minor spelling errors and you send them sensitive information that they have asked for



Now this one’s is mean. Keylogger is nothing but one of those password attacks where a spyware keeps track of the user’s activity. Cyberattackers use this type of attack to steal sensitive data. Keyloggers can steal the data either by connecting the targeted PC or mobile it to a hardware device or through software.

The attack through software occurs when people fall trapped by clicking a malicious link or attachment. Malware gets installed in their device and it automatically fetches sensitive data.


Password Best Practices

  • Your email should have a mix of uppercase, lowercase and numbers and special characters in them.
  • It should be lengthy. The longer the better. Might as well take a few extra seconds to type a long password rather than face the risk of losing data.
  • Once you do all this, make sure you rest your passwords in a timely fashion.


Frequently Asked Questions

What is Password Spraying?

You must have noticed that if you mistakenly type incorrect passwords at a stretch, your account could get blocked for some time. So, Password Spraying- a type of Brute Force Attack but a unique one, is wherein if the attacker has set a constant password for eg: abc123, and instead of trying a new password every time, the attacker keeps changing the username. In this way, the account will not get blocked as well.


What is Spear Phishing?

When an email seeks unauthorized access to sensitive information. This type of an attack is not usually sent by a mere hacker but somebody who could be known and just wants to retrieve some financial or confidential information. These types of password attacks also appear to come from a trusted source.


What helps protect from Spear Phishing?

  • Never click links or open or download attachments from unknown sources
  • You can block email addresses that look fishy
  • Update your system software to the latest build
  • Enable 2FA


What is a common indicator of a Phishing Attempt?

  • A logo that looks very similar to any popular brand out there
  • A name or an email address which sounds similar to a reputed organization
  • Malicious link or attachment
  • Shorter Content
  • Spelling Errors


How long does it take to crack an 8 digit password?

Less than 8 letter Passwords that have only numbers or only letters can be instantly cracked. But a password that has more than 8 characters takes longer (years if not less) to crack, if it is a mix of alphanumerics, different cases and special characters.


Do keep an eye on our blog section since we keep uploading a new blog every week.



Sumit Khorava
Sumit Khorava

Sumit is a Network & Systems Engineer and has been a part of us for almost 3 years now. He has a total of 5 years in the IT Field. He is an MS AZ103 and a Six Sigma certified engineer. At Infrassist, he started off by providing support/helpdesk services to one of our US clients. Then he moved to another project from Europe for which he currently manages and does Server and System Maintenance, Backup configuration and maintenance, ESET Management, Azure AD, Manage O365 Portals and their Security and Compliances.

Thanks For Reading