Credential and Password Attacks
Key Takeaways
- Credential attacks target authentication secrets, identity systems, session tokens, and user behavior.
- Brute force attacks try many passwords for one or more accounts; password spraying tries a few common passwords across many accounts.
- Credential stuffing uses known username/password pairs from another breach.
- Phishing, smishing, vishing, and MFA fatigue target the user rather than the password database.
- Mitigations include MFA, rate limiting, lockout policy, conditional access, password managers, monitoring, and credential rotation.
Last updated: April 2026
Credential and Password Attacks
Authentication attacks often look similar in logs. The exam expects you to distinguish the pattern and choose a mitigation that fits the pattern.
| Attack | Pattern | Best clues | Useful mitigations |
|---|---|---|---|
| Brute force | Many guesses against an account or service | High failed attempts for one username | Lockout, rate limiting, MFA, block source |
| Password spraying | One or a few common passwords across many users | Low failures per user, many usernames | Detect horizontal failures, MFA, banned password list |
| Credential stuffing | Reused breached credentials | Successful logins from unusual locations | MFA, breached password checks, anomaly detection |
| Dictionary attack | Wordlist-based guessing | Common words plus variations | Strong password policy, password manager |
| Rainbow table | Precomputed hash cracking | Stolen unsalted hashes | Salted slow hashes, protect credential stores |
| Phishing | Deceptive message or site | User reports link, fake login page | Awareness, filtering, FIDO2/passkeys, domain protections |
| MFA fatigue | Repeated push prompts | Many denied or ignored pushes | Number matching, rate limits, phishing-resistant MFA |
| Shoulder surfing | Observing secrets physically | Public area, visible screen or keypad | Privacy filters, user training, clean desk |
Worked Log Example
| Event | User count | Failure pattern | Likely attack |
|---|---|---|---|
| 1,900 failed logins for admin in 4 minutes | 1 | Many guesses against one user | Brute force |
| 450 users each fail once with "Spring2026!" | 450 | One password across many users | Password spraying |
| 17 successful logins from residential proxies using known employee emails | 17 | Valid pairs, unusual source | Credential stuffing |
The mitigation should match the attack. A simple account lockout might slow brute force, but it can create denial of service if applied too aggressively to password spraying. MFA and risk-based conditional access are stronger answers when valid credentials are being used from suspicious contexts.
Credential Storage and Cracking
| Weakness | Why it matters | Better control |
|---|---|---|
| Plaintext passwords | Immediate disclosure if database is stolen | Never store plaintext passwords |
| Fast unsalted hash | Easy offline cracking and reuse lookup | Salted adaptive hashing |
| Shared admin password | One compromise affects many systems | Unique privileged credentials or vaulting |
| Hardcoded secret | Secret leaks with code or image | Secret manager and rotation |
| Long-lived token | Stolen token remains useful | Short lifetime, scope limits, revocation |
Social Engineering Forms
| Form | Channel |
|---|---|
| Phishing | Email or web message |
| Smishing | SMS or text message |
| Vishing | Voice call |
| Spear phishing | Targeted phishing against a specific person or group |
| Whaling | Targeted phishing against senior leaders |
Common Traps
| Trap | Correct reasoning |
|---|---|
| Treat every login failure spike as brute force | Check whether failures concentrate on one account or spread across many |
| Rotate only the visible user's password after malware | Tokens, browser sessions, API keys, and service credentials may also be exposed |
| Rely on SMS MFA for high-risk admin access | Phishing-resistant or app-based options with number matching are stronger |
| Store recovery codes in the same mailbox they protect | Recovery material should be protected separately |
Quick Drill
Pick the likely attack and control:
- One executive receives a fake DocuSign email leading to a cloned login page: spear phishing; use filtering, awareness, and phishing-resistant MFA.
- Hundreds of accounts fail once with "Password1!": password spraying; detect horizontal attempts and require MFA.
- A leaked database contains unsalted MD5 password hashes: offline cracking risk; migrate to salted adaptive hashing and force resets where needed.
Test Your Knowledge
A log shows one password attempted against hundreds of usernames, with only one or two failures per account. What attack is most likely?
A
B
C
D
Test Your Knowledge
Attackers use valid employee credentials from a previous unrelated breach to access a company portal. What is this called?
A
B
C
D
Test Your KnowledgeMulti-Select
Which controls best reduce credential stuffing risk? Select two.
Select all that apply
Multifactor authentication
Use of unsalted fast hashes
Detection of breached or reused passwords
Disabling all audit logs