Brute Force, Dictionary, and Credential Stuffing: A Plain-English Guide

Introduction

Understanding how attackers compromise passwords is essential to defending against them. In this plain-English guide, we'll explain the three most common password attack methods: brute force, dictionary attacks, and credential stuffing—and show you exactly how to protect yourself.

Brute Force Attacks

What It Is

A brute force attack tries every possible password combination until it finds the right one.

How It Works

Try: a
Try: b
Try: c
...
Try: z
Try: aa
Try: ab
...
Try: K9#mL2$pQ7@nR4!v ← Found it!

Attack Speed

Modern hardware can try:

CPU-based:

• 1 million passwords/second (slow hashing)
• 100,000 passwords/second (bcrypt)

GPU-based:

• 100 billion passwords/second (MD5)
• 10 billion passwords/second (SHA-256)
• 100,000 passwords/second (bcrypt)

Time to Crack

| Password | Character Set | Time to Crack (GPU) | |----------|--------------|---------------------| | abc123 | Lowercase + numbers | Instant | | Password1 | Mixed + numbers | Seconds | | P@ssw0rd! | All types, 10 chars | Hours | | 12-char random | All types | Years | | 16-char random | All types | Trillions of years |

Defense

Use long, random passwords:

• Minimum: 16 characters
• Character types: All (uppercase, lowercase, numbers, symbols)
• Generation: Use our Strong Password Generator
• Storage: Password manager

Dictionary Attacks

What It Is

A dictionary attack tries common words, phrases, and known passwords instead of every combination.

How It Works

Load dictionary: [password, 123456, qwerty, letmein, ...]
Try: password ← Found it!

Common Dictionaries

RockYou (14 million passwords):

• From 2009 MySpace breach
• Still widely used today
• Contains most common passwords

SecLists (millions of passwords):

• Curated password lists
• Common patterns
• Leaked passwords

Have I Been Pwned (billions):

• Real breached passwords
• Updated regularly
• Free API available

Top 10 Most Common Passwords

1. 123456
2. password
3. 123456789
4. 12345678
5. 12345
6. qwerty
7. abc123
8. password123
9. 111111
10. 123123

All crack instantly.

Advanced Dictionary Attacks

Word + number combinations:

password1, password2, ..., password999
summer2024, winter2024, spring2024

Leetspeak variations:

password → p@ssw0rd, pa$$word, passw0rd
admin → @dmin, adm1n, 4dmin

Keyboard patterns:

qwerty, asdfgh, zxcvbn
qwertyuiop, asdfghjkl

Common phrases:

letmein, welcome, iloveyou
monkey, dragon, master

Defense

Never use:

• Dictionary words
• Common phrases
• Keyboard patterns
• Personal information
• Predictable patterns

Always use:

• Random generation
• High entropy
• Our Strong Password Generator

Credential Stuffing

What It Is

Credential stuffing uses leaked username/password pairs from one site to access accounts on other sites.

How It Works

1. Attacker obtains breach data:

   user@email.com:password123
   john@email.com:Summer2024!
   

2. Tests on other sites:

   Try user@email.com:password123 on Gmail → Success!
   Try user@email.com:password123 on Bank → Success!
   Try user@email.com:password123 on Facebook → Success!
   

3. Account takeover:

   • Access email
   • Reset other passwords
   • Steal data
   • Commit fraud

Real-World Impact

Statistics:

• 81% of breaches involve reused passwords
• Billions of credentials available on dark web
• Automated tools test thousands of sites
• Success rate: 0.1-2% (still millions of accounts)

Major incidents:

• Disney+ (2019): Thousands of accounts compromised
• Nintendo (2020): 300,000 accounts accessed
• Spotify: Ongoing credential stuffing attacks
• Banking: Millions in fraudulent transactions

Why It Works

Password reuse is common:

• 59% of users reuse passwords
• Average person has 100+ accounts
• Hard to remember unique passwords
• Convenience over security

Breaches are frequent:

• Millions of accounts breached yearly
• Data sold on dark web
• Old breaches still useful
• New breaches daily

Attack Tools

Sentry MBA: Popular credential stuffing tool SNIPR: Automated account checker Storm: Multi-threaded checker OpenBullet: Open-source testing framework

These tools can test:

• Thousands of accounts per minute
• Hundreds of websites
• Automatically solve CAPTCHAs
• Rotate IP addresses

Defense

Use unique passwords:

• Every account needs different password
• Use password manager
• Generate with our Strong Password Generator
• Never reuse passwords

Enable 2FA:

• Two-factor authentication stops credential stuffing
• Even if password is stolen, account stays secure
• Use authenticator apps (not SMS)

Monitor for breaches:

• Check Have I Been Pwned
• Enable breach notifications
• Change passwords immediately if breached

Comparing the Three Attacks

Attack Characteristics

| Attack Type | Speed | Success Rate | Defense | |-------------|-------|--------------|---------| | Brute Force | Slow | 100% (given time) | Long passwords | | Dictionary | Fast | High (weak passwords) | Random passwords | | Credential Stuffing | Very fast | Low (1-2%) | Unique passwords + 2FA |

Which Is Most Dangerous?

For weak passwords: Dictionary attacks (crack in seconds)

For reused passwords: Credential stuffing (immediate compromise)

For strong, unique passwords: None (effectively immune)

Real-World Attack Scenarios

Scenario 1: The Weak Password

Victim's password: Summer2024!

Attack sequence:

1. Dictionary attack tries common patterns
2. Finds Summer2024! in 30 seconds
3. Account compromised

Time: 30 seconds

Scenario 2: The Reused Password

Victim's password: MySecurePass123 (used everywhere)

Attack sequence:

1. Forum gets breached, password leaked
2. Attacker tries same password on email → Success
3. Attacker tries same password on bank → Success
4. Attacker resets all other passwords via email

Time: 5 minutes

Scenario 3: The Strong, Unique Password

Victim's password: K9#mL2$pQ7@nR4!v (unique per site)

Attack sequence:

1. Brute force: Would take trillions of years
2. Dictionary: Not in any dictionary
3. Credential stuffing: Password is unique, doesn't work elsewhere

Result: Account secure

How Attackers Get Password Hashes

Database Breaches

Poorly secured:

user@email.com | password123

Result: Instant access

Properly secured:

user@email.com | $2b$12$KIXxLVq8ZG0qN7mH.Qx9ue...

Result: Must crack each password

Learn more about how websites store passwords.

Network Interception

Unencrypted HTTP:

• Passwords sent in plain text
• Easily intercepted on public WiFi
• Man-in-the-middle attacks

Defense: Only use HTTPS sites

Phishing

Fake login pages:

• Look identical to real site
• Steal credentials directly
• No cracking needed

Defense:

• Check URL carefully
• Use password manager (won't auto-fill on fake sites)
• Enable 2FA

Defense Strategies

1. Use Long, Random Passwords

Generate with our Strong Password Generator:

Minimum length: 16 characters Character types: All (uppercase, lowercase, numbers, symbols) Generation: Cryptographically secure random Entropy: 100+ bits

2. Make Every Password Unique

Bad (reused):

Email:    MyPassword123
Bank:     MyPassword123
Work:     MyPassword123

Good (unique):

Email:    K9#mL2$pQ7@nR4!v
Bank:     Xt8&Yz3*Bw6%Jq1^
Work:     Fp5!Hd9@Mk2#Ns7$

Learn how to create unique passwords for every site.

3. Use a Password Manager

Password managers solve all three attacks:

Against brute force:

• Generate long, random passwords
• Maximum entropy

Against dictionary:

• No dictionary words
• Truly random

Against credential stuffing:

• Unique password per site
• Auto-fill prevents phishing

4. Enable Two-Factor Authentication

2FA stops credential stuffing:

Even if password is stolen:

• Attacker needs second factor
• SMS, authenticator app, or hardware key
• Account stays secure

Enable on:

• Email (most important)
• Banking
• Social media
• Work accounts
• Any account with sensitive data

5. Monitor for Breaches

Use Have I Been Pwned:

• Check if your email is in breaches
• Enable notifications
• Change passwords immediately

Password manager alerts:

• Many managers check for breaches
• Alert you to compromised passwords
• Prompt password changes

Attack Prevention for Websites

Rate Limiting

Limit login attempts:

Max 5 attempts per minute
Max 20 attempts per hour
Temporary lockout after failures

CAPTCHA

After failed attempts:

• Prevents automated attacks
• Slows down brute force
• Stops credential stuffing bots

Account Lockout

Temporary lockout:

• After 5-10 failed attempts
• 15-30 minute lockout
• Email notification to user

IP Blocking

Block suspicious IPs:

• Multiple failed attempts
• Rapid login attempts
• Known bot IPs

Password Hashing

Use strong algorithms:

• bcrypt (recommended)
• scrypt
• Argon2

Never use:

• Plain text
• MD5
• SHA-1

Testing Your Security

Red Flags (Vulnerable)

You're vulnerable if:

• ❌ You reuse passwords
• ❌ Your passwords are short (less than 12 chars)
• ❌ You use dictionary words
• ❌ You don't use 2FA
• ❌ You haven't checked for breaches

Green Flags (Secure)

You're secure if:

• ✅ Every password is unique
• ✅ Passwords are 16+ characters
• ✅ Passwords are randomly generated
• ✅ You use a password manager
• ✅ 2FA is enabled everywhere
• ✅ You monitor for breaches

Conclusion

Three main attacks:

1. Brute Force: Tries every combination

   • Defense: Long passwords (16+ chars)

2. Dictionary: Tries common words/patterns

   • Defense: Random passwords

3. Credential Stuffing: Reuses leaked passwords

   • Defense: Unique passwords + 2FA

Protect yourself:

✅ Use long, random passwords
✅ Make every password unique
✅ Store in password manager
✅ Enable 2FA everywhere
✅ Avoid common patterns
✅ Check for breaches regularly

Ready to create attack-resistant passwords? Use our Strong Password Generator to generate secure, random passwords instantly.

Related Reading

• How Hackers Crack Weak Passwords (And How to Fight Back)
• Password Entropy Explained (With Simple Examples)
• Random Password Creator: How True Randomness Improves Security