Network Security - Password attacks — brute force, dictionary, credential stuffing

Password attacks — brute force, dictionary, credential stuffing 

What it is (high level)
Password attacks aim to gain unauthorized access by guessing, reusing, or otherwise obtaining valid credentials. Attackers try to authenticate as legitimate users so they can access systems, data, or services.

Main types

  • Brute-force attacks — attacker systematically tries every possible password (or every password in a large keyspace) until one works. Effective only when passwords are short or poorly constrained.

  • Dictionary attacks — attacker tries passwords from a curated list of common words, phrases, or leaked passwords (a “dictionary”). Faster than blind brute force because it targets likely choices.

  • Credential stuffing — attacker uses lists of real username/password pairs (from previous breaches) and tries them across many sites and services, exploiting users who reuse passwords. Often highly automated and can be successful at scale.

  • Hybrid attacks (common) — dictionary + mutation rules (e.g., add digits, leetspeak) to catch slightly altered common passwords.

Typical attack flow

  1. Acquire targets: usernames (public directories, ENUM, web forms, username enumeration).

  2. Choose method: online attempts against authentication endpoints (rate-limited) or offline cracking of hashed passwords (if database dumped).

  3. Automate with tools and distributed infrastructure (botnets, cloud) to scale and evade rate limits.

  4. If successful, use credentials for lateral movement, data exfiltration, fraud, or resale.

Note: discussing exact cracking commands/tools would be actionable; this focuses on defensive understanding.

Why they succeed

  • Weak or common passwords (e.g., password123, names, predictable patterns).

  • Password reuse across sites/services.

  • Lack of rate limiting or ineffective throttling on authentication endpoints.

  • Poorly salted/weakly hashed password stores (enables offline cracking).

  • Missing multi-factor authentication (MFA).

  • Username enumeration (errors reveal which usernames exist).

  • No monitoring for rapid, distributed or failed login attempts.

Detection signals

  • Spike in failed login attempts from single IP, subnet, or geo-distributed sources.

  • Repeated attempts for many usernames from the same client (credential stuffing pattern).

  • High velocity of authentication attempts from new IPs or proxies (tor, VPNs).

  • Unusual successful logins from atypical locations or devices soon after many failures.

  • Multiple accounts accessed from a single IP shortly after each other.

  • Authentication logs showing same password used across many accounts (indicator of stuffing).

  • Web application firewall (WAF) / IDS alerts for automated login patterns.

Preventive controls & hardening (practical defenses)

Authentication hardening

  • Enforce multi-factor authentication (MFA) for interactive access and high-privilege accounts (one of the most effective controls).

  • Require strong password policies: length (≥12 recommended), but favor passphrases and screening against known-bad lists rather than frequent forced rotation.

  • Block known-compromised passwords using breach lists (e.g., “do not allow” lists).

  • Encourage/require password managers to reduce reuse and weak choices.

Protecting authentication endpoints

  • Implement rate limiting and progressive delays on failed attempts.

  • Use account lockout carefully (avoid enabling denial-of-service via lockouts) — prefer progressive throttling and alerting.

  • Implement CAPTCHA or step-up challenges for suspicious flows (but avoid overuse that harms UX).

  • Prevent username enumeration: consistent responses for “user not found” vs “wrong password”.

  • Monitor and block traffic from known bad IP ranges, botnets, and high-risk proxies.

Server-side password storage

  • Store passwords using strong salted hashing (e.g., Argon2id, bcrypt with appropriate parameters).

  • Use per-password salts; avoid fast hashes (MD5/SHA1) for passwords.

  • Treat leaked hashes as breaches: rotate credentials and notify affected users.

Defending against credential stuffing

  • Employ anomaly detection for login patterns (device fingerprinting, velocity checks).

  • Use reputation services and threat feeds to identify breached credential lists; proactively force resets for affected accounts when feasible.

  • Implement contextual authentication — challenge or block logins from unfamiliar devices, geographies, or rapidly changing IPs.

User & operational controls

  • Enforce TLS for all authentication traffic.

  • Provide user education on unique passwords and password manager use.

  • Offer and encourage passkeys / FIDO2/WebAuthn for phishing-resistant login where possible.

  • Monitor dark web and breach feeds for company-related credential leaks.

Detection & response (incident playbook)

  • If successful compromises are detected: immediately invalidate sessions and reset affected credentials (force password reset + revoke active tokens).

  • Require MFA re-enrollment where compromise suspected.

  • Collect and preserve authentication logs (timestamps, IPs, device fingerprints) for forensics.

  • Identify scope: which accounts, systems, and privileged access were impacted.

  • If breach of hashed password database occurred, assess hashing strength, rotate salts/secrets, and notify impacted users per policy/regulation.

  • Apply mitigations (rate limiting, blocking offending IPs, enhanced monitoring) and patch the vector that allowed attack scale.

Quick admin checklist

  • Require MFA for all sensitive accounts.

  • Enforce minimum length/passphrase and block known-breached passwords.

  • Use strong password hashing (Argon2id/bcrypt) with salts.

  • Add rate limiting, CAPTCHA/step-up, and device/context checks.

  • Prevent username enumeration in responses.

  • Monitor for abnormal login patterns and credential stuffing indicators.

  • Support phishing-resistant auth (passkeys/FIDO2) where possible.

  • Educate users and encourage password manager usage.

Legal/ethical note

Unauthorized password cracking or reuse testing without explicit permission is illegal. Use this guidance for defensive hardening, authorized testing under rules of engagement, or security awareness.