How Password Attacks Work
Understanding attack methods helps you create passwords that can resist them. Learn how attackers try to crack passwords.
Know Your Enemy
1. Brute Force Attacks
Try every possible combination until the password is found
A brute force attack systematically tries every possible combination of characters. Starting with "a", then "b", then "c", continuing through "aa", "ab", "ac", and so on until the correct password is found.
Why it works: Given enough time, brute force will eventually find any password. The question is whether it takes seconds, years, or centuries.
Example: Cracking "abc"
For a 3-character lowercase password, there are 263 = 17,576 possible combinations. A modern GPU can test this in milliseconds.
Time Complexity
Defense Strategy
2. Dictionary Attacks
Try common passwords and dictionary words first
Instead of trying every combination, dictionary attacks use lists of common passwords, dictionary words, names, and phrases. Attackers know most people choose passwords from a predictable set of words.
Why it works: Studies show that 90% of passwords are vulnerable to dictionary attacks because people choose memorable words instead of random characters.
Top 20 Most Common Passwords (All Crackable Instantly)
Dictionary attacks test these common passwords first. If your password is in the dictionary, it will be found in seconds regardless of length.
Defense Strategy
3. Hybrid Attacks
Combine dictionary words with common substitutions and patterns
Hybrid attacks combine dictionary attacks with common modifications people make to passwords. Attackers know you're likely to add numbers to the end, capitalize the first letter, or substitute symbols for letters.
Why it works: People think "p@ssw0rd" is clever, but attackers test these predictable patterns automatically.
Common Transformations Tested
All of these variations are tested automatically. If you start with a dictionary word, these "clever" modifications won't save you.
Common Letter Substitutions
Defense Strategy
4. Rainbow Table Attacks
Pre-computed hash lookups for instant password recovery
When passwords are stored in databases, they're usually "hashed" (converted to a fixed-length string). Rainbow tables are pre-computed databases that map common password hashes back to their original passwords.
Why it works: Instead of computing hashes on-the-fly, attackers can instantly look up a hash in their rainbow table. If your password is common enough to be in the table, it's cracked instantly.
How Rainbow Tables Work
Attacker steals a database with hash "5f4dcc3b5aa765d61d8327deb882cf99" → Looks it up in rainbow table → Finds "password" instantly.
Defense: Password Salting
Modern systems add a random "salt" to each password before hashing. This makes rainbow tables useless because each password has a unique hash even if the passwords are identical.
Good News
5. Credential Stuffing
Use leaked credentials from one site to access accounts on other sites
Credential stuffing takes username/password pairs leaked from data breaches and automatically tries them on other websites. Since many people reuse passwords, attackers achieve high success rates.
Why it works: Studies show that 65% of people reuse passwords across multiple sites. When one site is breached, attackers can access your accounts on completely unrelated services.
Real-World Attack Flow
Defense Strategy
Use unique passwords for every account. Even if one site is breached, credential stuffing attacks can't access your other accounts. This is THE most important defense against credential stuffing. Password managers make this easy.