Brute-Force Attacks
A brute-force attack tries every possible combination of characters up to a given length. Modern GPUs can test billions of hashes per second, meaning short passwords fall in seconds. An 8-character password using lowercase letters has 208 billion combinations — impressive until you realize a modern GPU can exhaust that in under a minute.
Dictionary and Rule-Based Attacks
Attackers don't start with random characters — they start with dictionaries of real words, names, and previously leaked passwords. They then apply mutation rules: capitalize the first letter, append numbers, replace vowels with symbols. These rules cover the patterns most humans use, making dictionary attacks far more efficient than pure brute force.
Credential Stuffing
When a website gets hacked, user passwords are often leaked. Attackers compile these into massive databases and automatically test them against other websites. If you reuse passwords, one breach can cascade into many account takeovers. This is one of the most common attack vectors today.
Rainbow Tables
Rainbow tables are precomputed databases mapping common passwords to their hash values, enabling instant lookups. They make cracking unsalted hashes near-instant for common passwords. Modern systems defend against this by adding a unique random salt to each password before hashing, making rainbow table attacks infeasible.
The defenses against all these attacks converge on one recommendation: use long, truly random, unique passwords for every account. A 16+ character random password defeats brute force, dictionary attacks, and makes credential stuffing useless.