Passwords are the locks on your digital life — and hackers have entire toolboxes dedicated to picking them. Understanding how password attacks work is essential for anyone building security policies, choosing authentication systems, or simply managing their own accounts.
Types of Password Attacks
1. Brute Force Attack
The simplest approach: try every possible combination of characters until you find the right one. A 4-digit PIN has only 10,000 combinations — a computer cracks it in milliseconds. An 8-character password using uppercase, lowercase, and numbers has about 218 trillion combinations — crackable in hours with modern hardware. A 12-character complex password can take centuries.
Modern GPUs are remarkably powerful for brute force. A consumer RTX 4090 can test billions of MD5-hashed passwords per second. This is why password length and complexity matter enormously.
2. Dictionary Attack
Instead of random combinations, the attacker uses a wordlist — a massive file containing common passwords, dictionary words, names, phrases, and known leaked passwords. Tools like Hashcat or John the Ripper can test hundreds of millions of entries against a captured password hash in minutes.
Popular wordlists like “rockyou.txt” (14 million leaked real-world passwords) are freely available. If your password was ever leaked in a data breach, it’s almost certainly in these wordlists.
3. Credential Stuffing
Billions of username/password combinations from past data breaches are available on the dark web. Credential stuffing takes these dumps and automatically tests them against other services — banks, email providers, streaming platforms. It works because people reuse passwords. If your email and password were leaked from a gaming site, attackers will test that same combination against your bank.
It’s estimated 0.1–2% of credential stuffing attempts succeed, but when you’re testing 10 billion credentials, even 0.1% is millions of account takeovers.
4. Rainbow Table Attack
Databases store passwords as hashes (a one-way mathematical transformation) — not the plain text password. Rainbow tables are pre-computed lookup tables that map hash values back to their original passwords, allowing instant “reverse lookups” without having to compute anything on the fly.
This attack is defeated by salting — adding a random unique value to each password before hashing. Modern systems use bcrypt, Argon2, or scrypt, which include salting and are deliberately slow (making brute force massively more expensive).
5. Password Spraying
Instead of trying many passwords against one account (which triggers lockout), password spraying tries one common password against many accounts. Attack: try “Password123!” against 10,000 employee accounts. Even if only 0.5% succeed, that’s 50 compromised accounts — from one password guess.
This technique is extremely effective against organizations that don’t enforce strong password policies and bypasses account lockout protections.
6. Keylogger Attack
Malware that records every keystroke you type — including passwords — and sends the log to the attacker. Password complexity means nothing against a keylogger because the attacker gets the plain text. This is why password managers are safer than typing passwords: many managers use clipboard injection or auto-fill that can bypass keyloggers.
7. Pass-the-Hash (PtH)
In Windows environments, attackers can extract the NTLM password hash from memory (using tools like Mimikatz) and use that hash directly to authenticate — without ever knowing the actual password. Changing the password doesn’t help if the attacker already has the hash. This is a common lateral movement technique in corporate network breaches.
Real-World Password Attack Examples
LinkedIn Breach (2012) — 117 Million Accounts
LinkedIn was breached and 6.5 million hashed passwords were initially dumped. In 2016, it emerged the actual breach was 117 million accounts. The passwords were hashed with unsalted SHA-1 — an extremely weak algorithm that allowed the entire dump to be cracked in days using rainbow tables and GPU cracking. “123456” and “linkedin” were among the most common passwords found.
RockYou Breach (2009)
Social app developer RockYou stored 32 million passwords in plain text — no hashing at all. When breached, all 32 million passwords were immediately exposed. This dataset became “rockyou.txt,” the most widely used password cracking wordlist. It revealed that millions of real users chose passwords like “123456”, “password”, “iloveyou”, and “qwerty.”
How to Create Uncrackable Passwords (and Manage Them)
1. Use a Password Manager
This is the most important step. Password managers (Bitwarden, 1Password, KeePass) generate and store unique, random passwords for every account. You only need to remember one master password. Free options: Bitwarden is excellent, open-source, and completely free.
2. Use Long Passphrases
For passwords you need to memorize (like your password manager master password), use a passphrase: four or more random words strung together. “correct-horse-battery-staple” is far stronger than “P@ssw0rd!” — longer, more random, and easier to remember.
3. Never Reuse Passwords
Every account must have a unique password. One breach shouldn’t compromise all your accounts. This is the primary defense against credential stuffing. A password manager makes this effortless.
4. Enable MFA Everywhere
Multi-factor authentication means that even if an attacker cracks or steals your password, they still can’t get in. Use an authenticator app (Google Authenticator, Authy) rather than SMS-based MFA when possible — SMS can be intercepted via SIM swapping.
5. Monitor for Breaches
Check haveibeenpwned.com regularly to see if your email or passwords have been exposed in a breach. Enable breach alerts — HIBP and most password managers will notify you when your credentials appear in a new breach dataset.
For Sysadmins and Security Teams
- Enforce password length minimums (at least 12–16 characters) rather than complexity rules alone
- Block known compromised passwords (HIBP’s API provides a free k-anonymity model for checking passwords against 700M+ breached passwords without exposing the actual password)
- Implement account lockout or CAPTCHA after failed login attempts
- Enable and enforce MFA for all privileged accounts
- Use Windows LAPS for local administrator password management to prevent Pass-the-Hash lateral movement
- Monitor for password spraying: alerts on multiple failed logins distributed across many accounts
Summary
The era of remembering complex passwords is over. The right approach is to use a password manager for unique passwords on every site, enable MFA on all important accounts, and monitor for breach exposure. These three steps alone eliminate the vast majority of password-based account compromises.