Weak Passwords and Credential Theft

What it is: A fundamental vulnerability arising from the use of easily guessable or predictable passwords, coupled with the techniques attackers employ to obtain legitimate user credentials. This can include brute-force attacks, dictionary attacks, password spraying, phishing, and exploiting data breaches where password hashes are compromised. Stolen credentials provide attackers with unauthorized access to systems, applications, and sensitive data, often bypassing other security controls.

How it works: Attackers utilize various methods to exploit weak passwords. Brute-force attacks involve systematically trying every possible password combination. Dictionary attacks use lists of common words and phrases. Password spraying attempts a small number of common passwords across many accounts. Phishing, as previously discussed, can directly trick users into revealing their credentials. Additionally, attackers often obtain large databases of compromised credentials from data breaches and use them in credential stuffing attacks, attempting to log in to other services where users might have reused the same passwords.

Example with key data: The numerous large-scale data breaches affecting platforms like Adobe (2013) and Yahoo (multiple incidents) resulted in the exposure of hundreds of millions of user credentials, including password hashes. Attackers then used techniques like password cracking (for weakly hashed passwords) and credential stuffing to attempt to gain access to other online services where users had likely reused the same email address and password combinations. For instance, after the Adobe breach, millions of exposed credentials were used to attempt logins on other websites, highlighting the cascading effect of weak password practices and the value of stolen credentials in subsequent attacks. The sheer volume of compromised credentials (e.g., over 3 billion in Yahoo’s case) underscores the scale of the problem and the potential for widespread unauthorized access.