Top 9 Different Types of Password Attacks | EasyDMARC

Top 9 Different Types of Password Attacks

6 Min Read
Blue cover, a person's image on the right side holding a lock

Weak, unsecured, stolen, and reused passwords lead to cybercrime. They let hackers access your system and exploit the information in whatever way they want. You can even lose your lifetime earnings if someone steals your passwords.

So, this World Password Day, take an oath to secure your accounts with the best preventive measures against the top 9 different types of password attacks mentioned below. Keep reading to find out what these are and how they work.


Phishing is one of the widely reported password attacks. In 2021, one study revealed that 83% of surveyed organizations reported email-based phishing attacks where attackers tricked users into clicking or downloading malicious links.

It’s easy to attempt these types of password attacks as hackers pretend to be genuine and trustworthy sources to whom you can reply and share sensitive credentials. Here are four common ways hackers target phishing victims:

Regular Phishing

In regular phishing, you receive a genuine-looking email to reset your password. If you went ahead without confirming the sender’s authenticity, you might expose your credentials to attackers. This is usually done by redirecting you to a fake website that appears legitimate.

Spear Phishing

With the spear phishing password attack type, threat actors send emails using an email address that you recognize (usually a friend or colleague). You’re typically directed to click or download a malicious link upon opening the mail.

Smishing and Vishing

These are two types of password attacks in which you either receive a fraud SMS (smishing) or voice call (vishing) asking you to share credentials or transfer money.


In a whaling attack, you receive an email from a senior figure in your company asking for sensitive information. We often don’t confirm such an email’s veracity and send what’s been requested.

Brute Force Attacks

In a brute force attack, passwords are stolen by the hit-and-try method. Hackers make multiple, systematic attempts to obtain passwords using automated programs. They can usually bypass the number of times a password can be entered, making it even easier to hack your account. One efficient preventive measure against the brute force attack password technique is the use of a secure password manager

A mask attack is a password-cracking tactic that allows hackers to skip non-required character combinations. This reduces the time it takes to hack your password.

Major types of brute force attacks include password spraying attacks and dictionary attacks.

Password Spraying

In a password spray attack, attackers use a selection of common passwords on a massive number of accounts. They typically target a specific cloud-based or sign-on platform. As the term suggests, a password spraying attack attempts to hack thousands (or even millions) of accounts at once, reducing the risk of the hacker getting caught.  

Dictionary Attacks

In dictionary password attacks, threat actors try a list of commonly used words and phrases instead of character-by-character attempts like brute force password attacks… These also involve popular pet names, famous movie characters, and even openly available online information like your child’s name, birthdays, etc.

Credential Stuffing

A credential stuffing password attack refers to bad actors using stolen credentials. This technique is based on the human psychology of using similar passwords for multiple programs, social media accounts, internet banking, etc.

Hackers steal passwords to check if they’re used on other platforms as well. They typically use automated tools to verify which stolen passwords are still valid on other platforms. That’s why it’s best to use two-factor authentication to secure your crucial data.

Keylogger Attacks

Keylogger or keystroke logger attacks involve a type of spyware—malicious software that allows hackers to obtain information secretly.

Keylogger password attacks are very harmful as they can expose even the strongest passwords. Hackers don’t have to crack passwords; Instead, they record your keystrokes when you type. Keyloggers don’t only record passwords, but also whatever you type, making it even more dangerous for your privacy.

Keylogger hackers don’t have to use any other technique to know your username, credit card number, social security number, and other vital information to cause you harm. So, the best preventive measure for digital and physical data security is encoding using an encryption algorithm. This disallows hackers accessing your computer and accounts even if they have passwords.

Man-in-The Middle (MitM) Attacks

A man-in-the-middle password attack has three parties involved: A user, a hacker, and the platform a user  is trying to access. Hackers secretly position themselves between users and third parties to intercept and steal data. They can disguise themselves as the third party and redirect the unsuspecting user to a legitimate-looking web page, much like phishing.

MY2022, an app mandated for all the Beijing Winter Olympics attendees, was manipulated using the MitM attack method. It contained sensitive information about players like passport details, medical history, demographic details, etc. Attackers could also access audio and other uploaded files.

As of January 17, the flaw still exists in version 2.0.5 of MY2022 for iOS.. Imagine how this can harm the attendees and their families.

Traffic Interception

Traffic interception is a type of MitM technique deployed to conduct long password DOS attacks. A denial-of-service or DOS attack shuts down a system so that users can’t access it. With traffic interception,an attacker secretly reads or listens to information on network traffic. The common gateways of these types of password attacks are unsecured wifi or unencrypted network connections.

This is also possible with SSL hijacking, where threat actors create a bridge to intercept information exchanged between two entities. The intercepted information can be a password as well.

Rainbow Table Attacks

To know the rainbow table password attack mechanism, it’s better to understand hashing first. Hashing is a process in which companies mathematically convert and encrypt users’ passwords. This keeps them stored as cryptographic sequences so that hackers see only encrypted values and not actual passwords.

So, a rainbow table is a key to deciphering encrypted passwords in hashing. This allows hackers to compare values against a rainbow table and decrypt numerous passwords.

Final Thoughts

Hackers are becoming more sophisticated and smarter in obtaining passwords using automated tools. In a phishing attack, hackers impersonate a trustworthy email sender, while in a brute-force attack, they use the trial-and-error method to crack passwords. 

It’s best to have different passwords for all your crucial accounts as threat actors might use credential stuffing, keylogging, and other techniques to access them. Always use a strong and unguessable password and follow a secure practice when creating passwords to stay safe online and protect your accounts.

Various authors from EasyDMARC teams have contributed to our blog during company's lifetime. This author brings everyone together.


Inline Feedbacks
View all comments

succees We’re glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.

succees You’re already subscribed to EasyDMARC newsletter. Continue learning more about email security with us