Stolen, weak and reused passwords are the leading cause of hacking-related data breaches and a tried-and-true way of gaining access to the enterprise’s IT resources. And with billions of credentials available on the dark web, cybercriminals don’t have to go to great lengths to find compromised passwords.

To get the best return on investment, hackers are looking for easy access—and improving the organization’s password security establishes more barriers for them to overcome.

There are different ways password attacks occur and practices to mitigate enterprise risk. Let’s examine eight types of password attacks and how to plan for and respond to them.

Brute-force attack

A brute-force attack is a type of password attack where hackers make numerous hit-or-miss attempts to gain access. It is a simple attack and often involves automated methods, such as software, for trying multiple letter-number variations.

Employing an extensive number of possibilities takes a long time, so attackers must look for efficiencies. To generate a list of potential combinations, they often start with easy choices, such as common or short passwords. If they know the password requirements for a specific provider (such as the minimum number of characters accepted), the attackers will apply those criteria as well.

Keylogger attack

A keylogger is spyware that records a user’s activity by logging keyboard strokes. Cybercriminals use keyloggers for stealing a variety of sensitive data, from passwords to credit card numbers. In a password attack, the keylogger records not only the user name and password but also the website or application where those credentials are used, along with other sensitive information.

Keyloggers can be either hardware or software. Since planting hardware on a device takes a lot of extra work, the threat actors are more likely to install malware on a computer or device by luring a user to click on a malicious link or attachment. Some keyloggers also come bundled with software (like “free” applications) that users download from third-party sites.

Dictionary attack

A type of brute-force password attack, a dictionary attack is based on a list of commonly used words and phrases, as well as often-used passwords. To avoid having to crack a long list of possible passwords, attackers narrow down the list to what’s known as dictionary words.

Those words are not limited to actual words in the dictionary. They could also include popular names of pets, movie characters, and people. Hackers will also utilize variations by appending letters with numbers and special characters (e.g., substituting the letter O with the number 0).

Credential stuffing

Credential stuffing password attacks are similar to brute-force attacks, in that the attackers use trial-and-error to gain access. However, instead of guessing passwords, they use stolen credentials. Credential stuffing is based on the assumption that many people reuse their passwords for multiple accounts across various platforms.

Over the years, numerous breaches of websites and cloud-based services have resulted in a massive number of compromised credentials. Just one single major-provider breach can yield millions of victim accounts, which cybercriminals then sell, lease, or give away on the dark web.

Attackers use credential stuffing to verify which stolen passwords are still valid or work on other platforms. As with brute-force attacks, automated tools make these password attacks incredibly successful.


A man-in-the-middle scenario involves three parties: the user, the attacker, and the third party with whom the person is trying to communicate. In a password attack, cybercriminals typically impersonate the legitimate third party, often through a phishing email.

The email looks authentic and may spoof the third-party’s email address to throw off even savvier users. The attackers try to convince the recipient to click on a link that goes to a fake but authentic-looking website, then harvest the credentials when the user logs in.

Traffic interception

Traffic interception, a variation on the man-in-the-middle attack, involves the threat actors eavesdropping on network traffic to monitor and capture data. A common way of doing this is through unsecured Wi-Fi connections or connections that don’t use encryption, such as HTTP.

Even SSL traffic is vulnerable in this scenario. For example, a hacker can use a man-in-the-middle attack in what’s called SSL hijacking. SSL hijacking is when someone tries to connect to a secure website, and the attacker creates a bridge of sorts between the user and the intended destination and intercepts any information passing between the two, such as passwords.


As mentioned above, phishing is a versatile approach. Cybercriminals use different phishing and social engineering tactics, from phishing emails for man-in-the-middle attacks to a combination of spear phishing and vishing (a multi-step password attack that includes a voice call and a link to a malicious site that harvests credentials). The latter has been used in attacks targeting employees’ VPN credentials.

Phishing attacks typically create urgency for the user. That’s why the emails often claim a bogus account charge, service expiration, or an IT or HR issue or a similar matter that is more likely to gain the person’s attention.

Password spraying

Another form of a brute-force attack, password spraying involves trying a large number of common passwords on a small number of user accounts, or even on just one account.

Attackers go to great lengths to avoid detection during password spraying. Usually, they’ll conduct reconnaissance first to limit the number of login attempts and prevent account lockup.

How to prevent attacks

The best way to prevent password attacks is to adopt best practices for password hygiene and management. Easy-to-hack environments that have a weak security posture are much more appealing to opportunistic cybercriminals.

Boosting password security significantly improves the enterprise’s ability to avoid a data breach. Password best practices include:

  • Requiring long, complex passwords that are unique for each website or account
  • Implementing multi-factor authentication when possible
  • Adopting a password manager to simplify password management and ensure secure storage

The enterprise’s IT team should also limit access to privileged accounts and add additional security layers for those accounts. Of course, educating all employees and other stakeholders about password security also enables prevention. With security breaches the new norm, employees and anyone else with access to organizational resources play a key role in maintaining the company’s security posture.

Unleash the power of unified identity security.

Centralized control. Enterprise scale.

Take a product tour