Authentication

Password attacks

Guessing, leaked-credential reuse, and credential stuffing.

What it is

Attackers try huge lists of common passwords (brute force), reuse passwords leaked from other sites (credential stuffing), or guess specific accounts (targeted).

How attackers exploit it

Bots hammer login forms with millions of email/password pairs from public breaches. Sites without rate-limiting or breach detection let many through.

How to protect against it

Block known-pwned passwords on signup and password change (HIBP k-anonymity API).
Rate-limit logins per IP and per account; add captcha after a few failures.
Enforce 2FA, ideally passkeys.
Notify users on new-device sign-ins.

Reference videos

Password cracking explained

Computerphile

Credential stuffing attacks

OWASP

Want to see if your site is at risk?

Run a free scan and get a Hackability Score for your site.