Password Attacks & Cryptography · beginner · ~10 min
Explain online guessing risks (spraying), account lockout, and how MFA changes the equation.
Online attacks guess against live services: brute force/credential stuffing (many tries per account, triggers lockout) vs password spraying (one common password across many accounts, evades lockout). Lockout can cause DoS and doesn't stop spraying; prefer throttling + breach screening. MFA makes a guessed password insufficient — the top control, with known bypasses.
Spraying and credential stuffing are how real accounts get breached, and naive lockout both fails against spraying and enables DoS. MFA is the highest-impact recommendation, so understanding its strengths and bypasses matters.
Brute force/stuffing. Many tries/one account; lockout-prone. Spraying. One password × many accounts; evades lockout. Lockout caveats. DoS risk, doesn't stop spraying → use throttling + breach screening. MFA. Cracked password insufficient; beware fatigue/SIM-swap/OTP phishing; prefer FIDO2.
Not every password attack is offline. Online attacks guess against a live service — slower and noisier, but they target people, not hashes.
Lockout after N failures stops brute force but enables denial of service (lock everyone out) and doesn't stop spraying (one try per account). Better: rate limiting, throttling/backoff, anomaly detection, and breached-password screening rather than aggressive lockout alone.
Multi-factor authentication means a cracked or guessed password isn't enough — the attacker also needs the second factor. It's the single most effective control against password attacks. But know the bypasses (covered in web/API tracks): MFA fatigue (push spam), SIM-swap on SMS factors, phishing of OTPs, and skippable/poorly-enforced MFA steps. Prefer phishing-resistant factors (FIDO2/WebAuthn).
Strong+slow password storage, length-based policy, breach screening, sensible throttling (not just lockout), and MFA everywhere — defense in depth so no single weak password is fatal.
Online password attacks (brute force, stuffing, spraying) target live logins; lockout alone is a flawed defense, so combine throttling, breach screening, and especially MFA — the control that makes a single guessed password non-fatal.