Password Attacks

As passwords, in combination with usernames, are a popular form of authentication, they are a common area that attackers like to try and exploit. Often the success of these attacks is down to the lack of complexity in the creation of the passwords themselves. Not employing additional security steps, such as multifactor authentication, also makes the job of an attacker that much easier.


A password spraying attack is one in which a small number of popular passwords are used against a large number of accounts, with the hope that one or more of these user accounts have utilised one of these passwords. Limiting the number of log in attempts against each account helps to ensure that the accounts don't get locked due to the number of incorrect attempts, however, if invalid logins are monitored, the attack is unlikely to go unnoticed.


A dictionary attack is where a list of words is used to try and guess passwords. Often an attacker will utilise password cracking software that can be configured to incorporate letter substitution with numbers and special characters, for example, replacing the letter 'e' with a '3', or an 's' with a '$'. Limiting the number of invalid log in attempts is a good way to help guard against this type of attack, as is the use of complex passwords that are not reused across systems. With the increasing prevalence of data breaches, all it takes in one system to be compromised, for all systems to be at risk if a password is reused.

Brute Force

If random passwords are used that won't be found in any dictionary list, the only way to crack these is to try a brute force attack, where an attacker employs password cracking software to attempt all possible password combinations. The length of a password is important to protect against this type of attack because the longer the password the more possible combinations there are.

Limiting the number of invalid login attempts also helps here, although if an attacker gets hold of the password file, containing the password hashes, then they can make any number of attempts offline. With increases in processing power, this type of attack is becoming more and more possible, so care needs to be taken to ensure that passwords are securely stored.

Rainbow Table

If a password file is obtained it will likely contain a hash for each password, as opposed to the passwords themselves. So in order to use either a dictionary or brute force attack against this file you would have to hash each guess, utilising the same hashing algorithm that was used on the passwords in the file, before doing a comparison.

A rainbow table is a table of passwords, together with their corresponding hash already computed. Using this would greatly reduce the time it takes to carry out the attack.

To guard against the use of a rainbow table if the password file is obtained, a salt can be added to the password before hashing it. A salt is a random set of characters added to a password to increase its length before it is hashed. This makes using a rainbow table ineffective.


Passwords stored or transported in plaintext are subject to attack. There are tools available that can be used to extract plaintext passwords from a system. Due to this, care must be taken when passwords are in an unencrypted form.