Credential-based attacks: Key types, how they work, and defense strategies

Credential-based attacks remain a significant threat to organizations of all sizes. According to the Verizon Data Breach Investigations Report (DBIR), lost or stolen credentials are the most common way for cybercriminals to gain initial access to systems. Google Cloud said systems with weak or no credentials were the top initial access vector, accounting for 47% of cloud environment attacks during the first half of last year in their Threat Horizon Report. These statistics underscore the critical need for IT professionals and system administrators to understand and mitigate these attacks.  

Credential-based attacks are favored by hackers due to their simplicity, high success rate, and the significant rewards they offer. By understanding these motivations, IT professionals and system administrators can better prepare and implement effective defenses to protect their organizations. We’ll cover the most common types of password attacks, how they work, and where you should be bolstering your defenses to prevent becoming compromised.  

What is a credential-based attack? 

A credential-based attack is a type of cyberattack where an adversary attempts to steal and misuse user credentials, such as usernames and passwords, to gain unauthorized access to systems, networks, and applications. The primary goal of the attacker is to bypass security measures and impersonate legitimate users, thereby gaining access to sensitive information and resources. These attacks frequently lead to data breaches, financial losses, and reputational damage. 

Types of password attacks 

Attacks focusing on passwords come in a few forms, each with their own methods and implications. Here are some of the most common types: 

Brute force attacks 

Brute force techniques involve systematically trying every possible combination of characters until the correct password is found. While time-consuming, they can be effective against weak or short passwords. 

Dictionary attacks 

A password dictionary attack involves using a list of common words, phrases, or previously used passwords to systematically attempt to log in to a user’s account. This method relies on the fact that many people use simple, easily guessable passwords, making it a relatively quick and effective way for attackers to gain unauthorized access. 

Hybrid attacks 

A hybrid password attack combines elements of dictionary attacks and brute-force attacks by using a list of common words and appending various characters, numbers, or other variations to them. This approach increases the likelihood of guessing complex passwords while still being more efficient than a pure brute-force attack. 

Mask attacks 

A mask password attack uses predefined patterns, such as specific character sets and positions, to systematically guess passwords. This method narrows down the search space by focusing on common password structures, making it more efficient than a brute-force attack while still being effective against complex passwords. 

Kerberoasting  

Kerberoasting is a credential-based attack that targets service accounts in Active Directory environments. It involves requesting service tickets for service accounts and then cracking them offline to obtain the account’s password. 

Credential stuffing 

Attackers use lists of stolen credentials from one breach to attempt access to other accounts. Credential stuffing methods rely on the common practice of users reusing passwords across multiple sites

Password spraying 

Similar to brute force techniques, but instead of trying many passwords on one account, attackers try a few common passwords on many accounts. A password spraying method is less likely to trigger account lockouts. Microsoft was recently hit by a successful password spraying hack.  

Ransomware 

While ransomware itself isn’t strictly a credential-based attack, they often start that way. One study found that in almost 40% of ransomware attacks last year, cybercriminals used legitimate credentials or brute-force attacks to gain initial access to victim environments. 

How do attackers steal the credentials?  

  1. Phishing: This involves tricking users into revealing their credentials through deceptive emails, websites, or messages. Phishing attacks often use social engineering to exploit human psychology and trust. 
  2. Keylogging: Malware that records keystrokes to capture login credentials as they are typed. Keyloggers can be installed through various means, including malicious emails and downloads. 
  3. Man-in-the-Middle (MitM) attacks: Attackers intercept and alter communication between two parties to steal credentials. This can occur over unsecured networks or through compromised devices. 
  4. Initial access brokers: Initial access brokers obtain stolen credentials through means like the above three methods, and then sell them on the dark web and underground forums or through private channels to the highest bidder.  
color meter from green to red
Are compromised passwords lurking in your AD? Audit your AD with our free tool!

How a credential-based attack works 

To understand how to prevent credential-based attacks, it’s essential to know how they typically unfold. The exact techniques and tools used can vary, but there’s a typical process we’d expect to see in most attacks relying on credentials. Here’s a step-by-step breakdown of a common attack scenario: 

  1. Reconnaissance: The attacker gathers information about the target organization, such as employee names, email addresses, and commonly used services. This can be done through social engineering, public data, or previous breaches. 
  2. Credential harvesting: The attacker uses various methods to obtain credentials. This could involve stealing passwords via malware or phishing. Or they may choose to try a brute-force attack or use known breached password lists and attempt credential stuffing. 
  3. Access attempt: With the chosen credentials, the attacker tries to log into the target’s systems or applications. They will likely use automated tools to speed up this process. 
  4. Privilege escalation: Once inside, the attacker looks for ways to escalate their privileges. This could involve exploiting vulnerabilities, using additional stolen credentials, or social engineering. 
  5. Lateral movement: The attacker may move laterally within the network to gain access to other systems and resources, increasing the scope of the breach. One of the benefits of stolen credentials is that the attacker can appear as a legitimate end user.  
  6. Data exfiltration/Malware deployment: With elevated privileges, the attacker can access and exfiltrate sensitive data, such as financial records, personal information, or intellectual property. They may choose to deploy spyware or ransomware at this stage.  
  7. Covering tracks: To avoid detection, the attacker may delete logs, install backdoors, or use other techniques to cover their tracks. Some attackers will persist in an organization’s system for a long time without being detected.  

Are there compromised passwords in your network? 

You can find out how many of your end users are using breached passwords with a quick scan of your Active Directory with our free auditing tool: Specops Password Auditor. The tool is read-only and doesn’t store Active Directory data, nor does it make any changes to Active Directory. You’ll get an easy-to-understand exportable report detailing password-related vulnerabilities that could be used as entry points for attackers. Download for free here

Why do hackers favor credential-based attacks? 

Account compromises accounted for almost one-third of global cyberattacks last year, making them the most-common initial access vector for threat actors, according to IBM X-Force’s Threat Intelligence Index report. Hackers favor credential-based attacks for several compelling reasons, making them a prevalent and persistent threat in the cybersecurity landscape. 

“What you’re really seeing is an aha moment on the part of threat actors in shifting to something that works,” said Charles Henderson, global managing partner and head of IBM X-Force. “What this establishes is that the criminals have figured out that valid credentials are the path of least resistance, and the easiest way in.” 

Here’s a closer look at why these attacks are so attractive to malicious actors: 

1. Ease of execution 

Credential-based attacks are relatively simple to carry out, especially when compared to more complex methods like zero-day exploits or advanced malware. Tools and techniques for these attacks are widely available and can be easily automated, reducing the time and effort required by the attacker.  

2. High success rate 

The success rate of credential-based attacks is high due to common human behaviors and organizational practices. Many users reuse passwords across multiple accounts, and some organizations have weak password policies. This makes it easier for attackers to gain access to multiple systems with a single set of credentials. 

3. Low risk of detection 

Many traditional security measures, such as firewalls and antivirus software, are designed to detect and block malicious traffic or files. Credential-based attacks often mimic legitimate user behavior, making them harder to detect. When an attacker uses valid credentials, they can blend in with normal traffic and avoid triggering security alerts. This allows them to operate stealthily and for extended periods. 

4. Cost-effective 

For hackers, credential-based attacks are cost-effective. They require minimal resources and can be executed using free or low-cost tools. Once inside a system, attackers can access a wealth of valuable data, including financial records, personal information, and intellectual property. The potential rewards, such as access to sensitive data or financial gain, often far outweigh the costs. 

5. Wide range of targets 

Credential-based attacks can target a wide range of systems and services, from web applications and email accounts to internal networks and cloud services. This versatility makes them a versatile tool in a hacker’s arsenal, allowing them to exploit multiple entry points. 

desktop screen with warnings
Find over 1 billion breached AD passwords with our FREE password auditor

Three well-known credential attacks 

  1. LinkedIn (2012): An attacker stole millions of user credentials, including email addresses and hashed passwords, and later released them on the dark web. This breach highlighted the importance of strong password policies and MFA. 
  2. Uber (2016): Hackers gained access to the personal data of 57 million Uber users and drivers by using stolen credentials from a GitHub repository. Uber paid a ransom to keep the breach quiet, which later led to legal and reputational issues. 
  3. Capital One (2019): A former Amazon employee used a misconfigured firewall to access Capital One’s servers and steal the personal information of over 100 million customers. The attacker had access to credentials that were improperly stored, leading to one of the largest data breaches in history. 

How to prevent password attacks 

Preventing credential-based attacks requires a multi-layered approach that combines technical solutions, policies, and user education. Here are some key strategies: 

  1. Multi-factor authentication (MFA): MFA adds an extra layer of security by requiring users to provide two or more verification factors to gain access. This significantly reduces the risk of unauthorized access even if passwords are compromised. MFA should be a non-negotiable and is arguably the most important measure on this list. 
    MFA makes it much harder for attackers to gain unauthorized access, even if they have stolen credentials. However, MFA is not a foolproof way of protecting against credential-based attacks. Attackers can still bypass MFA through methods like phishing, social engineering, or exploiting vulnerabilities in the MFA implementation.  
  2. Strong password policies: Enforce the use of strong, unique passphrases. This greatly reduces the chances of user accounts being compromised by brute-force techniques.  
  3. User education: Train employees to recognize and avoid phishing attempts, and to use secure practices when handling credentials. Regular security awareness training can help reduce the risk of credentials falling into the wrong hands due to human error. 
  4. Regular audits and monitoring: Conduct regular audits of user accounts and monitor for unusual login activity. Implement intrusion detection systems (IDS) and security information and event management (SIEM) tools to detect and respond to potential threats. 
  5. Secure network architecture: Use secure network protocols and encrypt data in transit to prevent man-in-the-middle attacks. Segment your network to limit the impact of a breach. 
  6. Incident response plan: Develop and maintain an incident response plan to quickly address and mitigate the impact of a credential-based attack. Regularly test and update the plan to ensure it remains effective. 
  7. Check for compromised credentials: Even strong passwords can be stolen. Specops Password Policy continuously scans your Active Directory against a database of over four billion unique compromised passwords. End users with breached passwords are alerted and forced to change to a new, safe password. Don’t leave your organization vulnerable to credential-based attacks. Get in touch and we’ll set you up with a free trial.

(Last updated on January 7, 2025)

picture of author marcus white

Written by

Marcus White

Marcus is a Specops cybersecurity specialist based in the UK. He’s been in the B2B technology sector for 8+ years and has worked closely with products in email security, data loss prevention, endpoint security, and identity and access management.

Back to Blog

Related Articles

  • TfL forced to manually reset 30K passwords after cyber-attack – is there an easier way?

    In early September 2024, Transport for London (TfL) found itself at the epicenter of a sophisticated cyber-attack. As the news broke, the scale of the breach became apparent, leading to operational disruptions and the need for an immediate, robust response. Its IT infrastructure had been thrust into chaos, forcing them to identify all 30,000 employees…

    Read More
  • Rockyou2024 analysis: Mega password list or just noise? 

    Back in June 2021, a large data dump called ‘rockyou2021’ was posted on a popular hacking forum. It was named after the popular password list used in brute-force attacks called ‘Rockyou.txt’ – and it was a pretty big story at the time. You can see our team’s analysis on it here.   Fast forward to 2024…

    Read More
  • Block These Recently Leaked VPN Passwords to Prevent Ransomware Attacks [new data]

    Worried about ransomware attacks? Recent attack news indicates you should be looking to secure your VPN connections. Last week, we learned that thousands of Fortinet VPN passwords had been leaked on the dark web by a former ransomware operator. The Specops research team obtained the leaked data and is sharing the results of their analysis….

    Read More