How to do it: Password Attacks

Code-first cards showing the main password attack styles, the common audit tool names people mention, and the controls that stop them.

Tool overview Rendered preview Defense first
Back to demo
Safe learning mode: this page names commonly referenced password-auditing tools for awareness, but the code examples stay on protection, monitoring, and safer authentication design.

Card 1 — brute force and dictionary pressure

Show that weak passwords fall quickly when they are short, common, or reused.

Preview + Code
password audit overview
$ audit-tools --list Hashcat → offline hash auditing John the Ripper → password audit lab Hydra → login testing in authorized labs lesson: weak passwords fail under repeated guesses

Password policy example

Teach the fix with stronger password rules instead of attack steps.

# Example validation policy
const passwordPolicy = {
  minLength: 14,
  requireUnique: true,
  blockCommonPasswords: true,
  requireMFA: true
};

// Goal: make guessing economically unhelpful.

Card 2 — credential stuffing tools and reuse

When old breach passwords are reused, automation can try them across many sites.

Preview + Code
Reuse risk
Same password on mail, shopping, and social accounts.
Commonly mentioned in awareness: Burp Intruder, Sentry MBA style combo testing.
one leaked password can spread damage

Account lock and rate-limit defense

Use defensive code to slow automation and alert on repeated failures.

# Express example
const rateLimit = require("express-rate-limit");

app.use("/login", rateLimit({
  windowMs: 15 * 60 * 1000,
  max: 5,
  message: "Too many login attempts"
}));

Card 3 — password spraying and detection

Spraying tries a few common passwords across many users and can hide inside normal traffic if you do not monitor it.

Preview + Code
auth-monitor.log
[ok] mfa challenge sent [warn] 14 users hit with the same bad password [warn] geo anomaly detected response: alert SOC and force reset

Detection logic example

This turns the lesson toward monitoring instead of misuse.

# Pseudocode for alerting
if same_bad_password_attempts > 10 and distinct_users > 5:
    trigger_alert("possible password spraying")
    require_captcha = True
    force_mfa_stepup = True

Card 4 — the tools that stop it

Close the page with the defensive stack that actually protects accounts in the real world.

Preview + Code
Password manager
Generates long, unique passwords.
MFA app / security key
Adds a second step after the password.
Breach monitoring
Warns when credentials appear in known leaks.
unique password + MFA wins

Defense checklist in config style

End with the settings that matter most.

# Recommended auth settings
password_manager = "enabled"
mfa = "required"
breach_check = "on_password_change"
login_alerts = "enabled"
passkey_support = "preferred"

# Best outcome: no reused passwords and no password-only logins.