Common Types of Password Attacks

Trevor Chandler

Well-known member
Jul 4, 2020
Credential Stuffing is not an Attack form. It is collectin Passwords to use it on other sites..
What is missing here is: Password Spraying
or Rubberhose Attack, which is not mentioned in every Security Course.

Thank you for sharing.
The community needs more eyes like yours Mr. Michael Schmitz. Thank you for your contribution!!!
MFA and a lockout policy virtually eliminate every password attack.
Quite right. This is why both MSFT and Google have gone on a rampage about getting rid of Passwords. Sometimes, MFA can be a real pain in the butt - like trying to log in on my phone, having to switch to the authenticator app, and then losing the password session - wash-rinse-repeat. But really, MFA is a staple these days. Not using it just asking to be hacked.

Well said, and unlike me, succinctly, Greg. ;)
MFA does not have to involve looking at the phone. I use Twilio Authy and have the app running on both my phone and my desktop computer. If I am at my desktop and get the MFA prompt, I just switch to the Authy app on the desktop and view the code.
I wonder if that doesn't break MFA down, though.

If a bad actor is using your desktop and has your password, can he not just start up Authy, view the code and get the second factor? I suspect Authy has another password, at least?

Granted, two passwords is not true MFA or anything...

Am I missing something?