6 Types of Password Attack and Ways to Prevent Them


A password attack is one of the most common cybersecurity risks that affect both personal and corporate data.

Hackers know that many passwords are poorly designed or created quickly without much thought, and therefore take their chances.

Several different methods can be used as attackers can use software to test millions of combinations, or pose as a trusted source to steal credential information.

Therefore this type of cyber security attack is important to be aware of as there isn’t only one scam to look out for, but various that could trick you or members of your organisation into revealing password information.

In this post, we will be highlighting the top 6 most common password attack methods and giving you tips on how to prevent them.

So, let’s get into it.

What Is a Password Attack?

A password attack is a malicious way for hackers to gain access to your personal or corporate accounts.

Whether that be email accounts, company log-ins, or password-protected files, there are various ways for attackers to steal your credentials and gain access to your data within these accounts.

These attacks compromise a huge amount of data if the passwords in your organisation are similar, not regularly changed, or poorly created, hackers could gain access to more than one account and a wide variety of information.

passcode screen on iPhone

6 Types of Password Attack

There are more than 6 types of password attacks used by cybercriminals, however, we are going to focus on 6 of the most common out there.

Let’s start with Man-in-the-Middle attacks.

1. Man-in-the-Middle

Man-in-the-middle or MITM attacks involve a hacker or compromised system sitting in between two uncompromised people or systems.

For example, this is much like a person sitting in between two others having a conversation and listening to what is being said.

In this instance, the compromised system in the middle can decipher the information that is passed between the other two systems.

Therefore, the man-in-the-middle can steal credential information as it is passed from one person to another through a device or system, and go on to log in to accounts, steal data and implement malicious code.

How to Prevent This Password Attack

There are a few things you can do to prevent this type of attack, including:

  • Installing or purchasing a VPN– using a virtual private network will help to mitigate hackers entering your network and stealing information as it passes from one system to another.
  • Using strong credentials and MFA – many router credentials are never changed and this makes it easy for man-in-the-middle hackers to get into your network. Therefore strong passwords and multi-factor authentication stop hackers before they even get the chance to enter your network.
  • Enabling encryption on your router – there are certain types of technology such as Sniffer technology that can be used by attackers to access the information that is passed from system to system. Enabling encryption means even if the hacker accesses your network, they won’t be able to decipher the information that is being transmitted.

2. Dictionary Attack

A Dictionary attack is a type of brute force attack, as it relies on the habit of users picking a basic or very easy-to-guess password.

Millions of common passwords such as “password” or “1234” have been collected into documents called cracking dictionaries and these can be used by hackers to guess your account credentials.

Although the cracking dictionaries mostly include common password examples, some include words close to you or important to you such as your birthplace, or the name of your pet so cyber criminals can conduct more complex attacks.

How to Prevent This Password Attack

To prevent this attack you must be prepared to make changes to your passwords and password settings such as:

  • Avoid using dictionary words– using a word you can find in the dictionary will make your password easily guessable compared to a mixture of numbers and letters, or a word or phrase unrelated to your personal information.
  • Lock accounts after too many failed attempts – although this may be frustrating if you’re trying to log into your account, it will improve the security of your accounts. It is a good idea to set your passwords to allow five attempts or less, as this way hackers will be locked out after a certain number of attempts and you will be redirected to reset your password.
  • Consider using a password manager – this software will generate complex passwords for you that are difficult to guess and incorporate a range of numbers, letters, and characters.

iPhone mail and phone applications

3. Phishing

Phishing attacks generally involve a hacker posing as a trustworthy party to send you a fraudulent email, often containing malicious links or codes.

The aim of the threat actor is to encourage you to reveal personal information either through clicking a link, resetting your password, or inputting your details into a fake webpage.

By completing this action hackers can then steal your credentials and access your accounts to insert malicious codes into your device or network.

Although this is the most common way hackers use phishing for password attacks, this type of risk can be split into various categories:

  • Spear Phishing – in this type of attack a hacker will target a user specifically with an email from a friend or colleague including an attachment with a generic comment encouraging them to click on it. This tricks the user into thinking that the email is legitimate due to the hacker posing as a seemingly trustworthy sender.
  • Smishing or Vishing – a user will receive an SMS text message (smishing) or voice call (vishing) from a hacker explaining that an account has been frozen or there has been fraudulent activity. For the hacker, the aim is for you to click on the SMS attachment or take action based on the voicemail, and therefore become exposed to malicious code or stolen credentials.
  • Whaling – a user or entire organisation will receive an email from a “senior figure” within the company asking for confidential information or even company credentials. It is often difficult for users to spot that these emails are falsified and result in one or more members of the organisation sending information to hackers instead.

How to Prevent This Password Attack

To prevent this attack it’s essential to ensure your organisation has been trained in phishing prevention as well as password attack mitigation.

This is because phishing processes still apply even when this type of hacking is used for password attacks.

To help keep phishing attack attempts to a minimum in your organisation you should:

  • Check the email source and sender – ensure the email address of the sender matches who they’re claiming to be. For example, if the email is from another organisation, check the email against the one shown on the company website.
  • Check for spelling and grammar mistakes – issues with spelling and grammar are often clear indicators of a hacker at work, rather than a legitimate email from another organisation, colleague, or client.
  • Check with your IT team – often if you are unsure whether the email or message you receive is from a trusted source, your IT team should be able to conduct checks and confirm with you whether to keep or delete the email.

4. Brute Force Attack

If a password is a key to open a door, a brute force attack is an act of knocking the door down.

Ultimately, when hackers conduct a brute force attack, they use software to test billions of password combinations to access your accounts or network.

Hackers can try billions of passwords in 30 seconds, so if your password is simple, this makes their job so much easier and they can easily get into your network using your credentials.

How to Prevent This Password Attack

Similarly to a dictionary attack, it’s important to change and check over your passwords and password settings.

To prevent brute force attacks you and your organisation should:

  • Use complex passwords – the stronger your password, the smaller the chance that attackers will gain access to your account. It’s important to use a mix of uppercase and lowercase, non-alphabetical letters, and 10 digits for each password you create and use.
  • Install MFA – using multi-factor authentication means that even if hackers guess your passwords, they have to get through an added layer of protection. Installing MFA across your company such as a one-time passcode to your mobile or a security question or PIN stops hackers in their tracks as they won’t be able to pass further than the initial password stage.

Hackers hands on laptop keyboard

5. Credential Stuffing

If you have been a past victim of a cyber security attack, it’s likely your password will have been included in a data leak onto a website that is insecure and others have access to.

Credential stuffing is the process of hackers visiting one of these disreputable websites and collecting old credentials of those who have been attacked previously.

Then the attacker will find these previous target accounts and take advantage of them by inputting their details, in the hope that they didn’t change their details after the past attack.

How to Prevent This Password Attack

To prevent credential stuffing you should consider:

  • Monitoring your accounts – you can pay for a service to do this for you, or use a free version to check if your information, specifically your email address, has been leaked.
  • Regularly updating and changing your passwords – the longer you leave your passwords as they are, the more likely it is that hackers will steal them and access your accounts.

6. Keyloggers

A Keylogger is a type of malicious software that is used to track every keystroke made on the keyboard and report the findings back to the hacker.

Typically the user will download software and a keylogger may come with the download, unknown to the user.

Then the hacker is in the network and has access to the keys that are pressed and in which order when the user is logging into an account.

How to Prevent This Password Attack

There are precautions you can take to prevent keyloggers from being downloaded onto your device, such as:

  • Checking your physical hardware – conducting regular inspections on your computer or device and the surrounding area will help to ensure each piece of hardware is safe from risk.
  • Running a virus scanusing antivirus software to conduct a scan of your device regularly can help to keep track of keyloggers to be aware of and flag them up to you.
  • Macbook laptop keys

    How to Create a Strong Password

    As this post is dedicated to password attacks, in particular, creating a strong password is vital to decrease the chances of hackers guessing your credentials and accessing your account.

    There are a few ways you can ensure your password is strong, suitable, and unlikely to be guessed, so let’s take a look.

    Avoid Simple Passwords

    The first tip is simple, don’t use obvious or typical password ideas.

    For example, avoid using “1234” or “abcd” or anything similar to this such as a string of repeated characters like “0000”.

    Equally, it’s a good idea to avoid using personal information such as your birth date or the college you attend, as hackers can easily obtain personal information from your social media accounts or through other forms of hacking.

    Another commonality between users is the incorporation of a section of their username into their password or even the use of the word “password”. These are often the first combinations hackers will try, so try and ensure your password is completely different to your username.

    Make it Brute Force Proof

    As we have covered, brute force attacks test so many combinations of passwords so it’s important to make your password as complex as possible, to prevent hackers from being able to use this process.

    When it comes to creating strong credentials, it’s important to ensure your password is between 15 and 20 characters long, as each extra character you add means thousands of extra combinations for hackers to test.

    Equally important is the use of multiple character types, which means you should be including uppercase and lowercase letters, numbers, and special characters, as this will again increase the number of possibilities per character.

    This will inevitably make your password harder to crack.

    Finally, it can be tempting to use character substitutions such as switching an “o” for a “0” within a word, however, hackers can often programme the software they use to detect these substitutions.

    Overall, although creating complicated passwords can make them more difficult to remember for you, it will make them far harder to guess for password attackers.

    6 Types of Password Attack and Ways to Prevent Them

    Similar to other cyber threats, password attacks can be prevented by implementing certain processes across your organisation.
    By creating strong passwords, conducting regular virus scans, and installing a VPN and MFA, you are decreasing the likelihood of hackers discovering and stealing your credentials.

    Some threat actors will be persistent and use software to test out combinations or aim to find weaknesses in your security network to access any information they can, not just passwords.

    Here at TLR can we help to prepare you and your organisation for any attack, whether that involves stealing passwords, phishing, or ransomware. We have technology solutions such as CAVs that can help to identify vulnerabilities in your network, and cyber war games that put you in a realistic cyber attack situation to prepare you for any future threats.

    If you want to combat attacks and viruses effectively, but need an extra helping hand, get in touch with our team today!

Become cyber resilient

Get in touch today to see how we can make you more cyber resilient. Empowering you to lead from the front.

Written by

Dave Roberts