Domain 2: Threats, Vulnerabilities, and Mitigations Module 17 of 61

Cryptographic and Password Attacks

Security+ Domain 2 — Threats, Vulnerabilities, and Mitigations C — Malicious Activity and Mitigations 12–16 minutes

What the Exam Is Really Testing

Candidates consistently mix up the password attack types on this topic. Brute force vs. spraying. Credential stuffing vs. dictionary attacks. Rainbow tables vs. brute force against hashes. They sound similar, but the exam draws sharp distinctions between them — and expects you to do the same.

Identify specific password attack techniques from scenario descriptions, understand how cryptographic attacks undermine encryption, and select the correct countermeasure for each attack type.

Password attacks and cryptographic attacks are frequently tested together because they both target the mechanisms that protect data and access. Getting the terminology right is half the battle here.

Password Attacks

Brute Force

Brute-force attacks try every possible combination of characters until the correct password is found. They are guaranteed to succeed given enough time, but time requirements grow exponentially with password length and complexity.

A 4-character numeric PIN has 10,000 possibilities. A 12-character password mixing uppercase, lowercase, numbers, and symbols has over 475 trillion. This is why password length matters more than complexity.

Mitigations: account lockout policies, rate limiting, long password requirements, and multi-factor authentication.

Dictionary Attack

Dictionary attacks use lists of common passwords, words, and phrases instead of trying every possible combination. They are faster than brute force because they exploit the fact that humans choose predictable passwords.

Dictionary lists include common passwords ("password123", "letmein"), common words, names, and variations with simple substitutions ("p@ssw0rd").

Password Spraying

Password spraying tries a small number of commonly used passwords against many accounts simultaneously. Instead of trying many passwords against one account (which triggers lockout), it tries one password against every account, then moves to the next password.

Example: trying "Summer2026!" against all 5,000 email accounts in the organization. If even 1% use that password, the attacker compromises 50 accounts without triggering any lockout threshold.

Password spraying is effective because it evades per-account lockout policies. The mitigation is detecting distributed authentication failures across multiple accounts and enforcing password policies that prohibit common patterns.

Rainbow Tables

Rainbow tables are precomputed lookup tables that map password hashes back to their plaintext values. Instead of hashing each guess in real time, the attacker looks up the stolen hash in the table and retrieves the original password instantly.

Rainbow tables are defeated by salting — adding a unique random value to each password before hashing. Salting ensures that identical passwords produce different hashes, making precomputed tables useless.

Credential Stuffing

Credential stuffing uses username-password pairs stolen from one breach to attempt login on other services. It exploits the fact that most users reuse passwords across multiple platforms.

An attacker obtains millions of credentials from a social media breach and automatically tests them against banking, email, and corporate systems. Any reused password grants immediate access.

Mitigations: multi-factor authentication (renders stolen passwords insufficient), monitoring for login attempts from known breached credential lists, and user education about password reuse.

Hybrid Attacks

Hybrid attacks combine dictionary and brute-force techniques. They start with dictionary words and append or prepend numbers, symbols, and character substitutions.

Examples: "Summer" becomes "Summer2026!", "Summer2026#", "summer2026!", and so on. This approach defeats simple complexity requirements while remaining much faster than pure brute force.

Cryptographic Attacks

Downgrade Attack

A downgrade attack forces a system to use a weaker, older version of a cryptographic protocol instead of the current secure version. The attacker interferes with the protocol negotiation process to make both parties agree on a vulnerable cipher suite or protocol version.

Example: forcing a TLS 1.3 connection to fall back to TLS 1.0, which has known vulnerabilities. The attacker can then exploit the weaknesses in the older protocol to intercept or decrypt communications.

Mitigation: disable support for deprecated protocol versions entirely. If the server does not support TLS 1.0, a downgrade to TLS 1.0 is impossible.

Collision Attack

A collision attack finds two different inputs that produce the same hash output. If an attacker can create a malicious file with the same hash as a legitimate file, digital signatures and integrity checks become meaningless.

MD5 and SHA-1 are vulnerable to collision attacks. This is why they have been deprecated in favor of SHA-256 and SHA-3 for security-critical applications.

Birthday Attack

The birthday attack is a mathematical approach to finding hash collisions more efficiently than brute force. Named after the birthday paradox (in a room of just 23 people, there is a 50% chance two share a birthday), it shows that collisions are more likely than intuition suggests.

For the exam, understand that the birthday attack means hash functions need larger output sizes than you might expect. A 128-bit hash can be attacked with approximately 2^64 attempts, not 2^128.

Key Length Issues

Encryption strength is directly related to key length. Short keys can be brute-forced with modern computing power:

  • DES (56-bit) — Crackable in hours with modern hardware
  • 3DES (112/168-bit) — Deprecated but still found in legacy systems
  • AES-128 — Currently secure for most applications
  • AES-256 — Recommended for sensitive data and long-term protection
  • RSA below 2048-bit — No longer considered secure

The exam tests whether you recognize insufficient key length as a cryptographic weakness and know current minimum recommendations.

Indicators of Cryptographic Failure

Signs that cryptographic protections have failed or are insufficient:

  • Data transmitted in plaintext when encryption was expected
  • Use of deprecated algorithms (MD5, SHA-1, DES, RC4)
  • Self-signed certificates in production environments
  • Expired or revoked certificates still in use
  • Hard-coded encryption keys in application source code
  • Certificate warnings dismissed by users or applications
  • Unencrypted backup files containing sensitive data

Pattern Recognition

When you see a password or cryptographic attack question:

  1. Is the attack targeting passwords or encryption?
  2. Is it an online attack (against a live service) or offline (against stolen data)?
  3. Does it use a precomputed resource (rainbow table, dictionary)?
  4. Does it target protocol negotiation (downgrade) or algorithm weakness (collision)?

Pattern shortcuts:

  • Every combination tried sequentially = brute force
  • Common words and phrases tried = dictionary attack
  • One password tried across many accounts = password spraying
  • Stolen credentials from one site tried on another = credential stuffing
  • Hash looked up in precomputed table = rainbow table
  • Protocol forced to use older version = downgrade attack
  • Two inputs producing same hash = collision attack

Trap Patterns

Common traps:

  • Confusing spraying with brute force. Brute force tries many passwords against one account. Spraying tries few passwords against many accounts. The distribution pattern is the key difference.
  • Confusing credential stuffing with dictionary attacks. Credential stuffing uses real credentials from breaches. Dictionary attacks use word lists. Stuffing attacks use actual username-password pairs, not just passwords.
  • Assuming rainbow tables work on salted hashes. Salting defeats rainbow tables by making each hash unique. If a question mentions salted passwords, rainbow tables are not the correct attack.
  • Treating all deprecated algorithms the same. The exam distinguishes between deprecated (should not use) and broken (must not use). Know which algorithms fall into which category.

Scenario Practice

Question 1

A security team detects that someone is attempting to log in to the organization's VPN using the password "Welcome1!" across 3,000 different user accounts over a 4-hour period. No individual account has more than one failed attempt.

Which attack technique is being used?

Answer & reasoning

Answer: Password spraying

The attacker is trying a single common password against many accounts rather than many passwords against a single account. The pattern of one attempt per account avoids triggering account lockout policies.

This is not brute force (which would show many attempts against one account) or credential stuffing (which would use unique credential pairs from a breach, not the same password for all accounts).

Question 2

After a data breach at a social media company, an attacker uses the leaked email and password combinations to attempt logins on banking and email platforms. Several accounts are successfully compromised.

Which attack technique is being used, and what is the MOST effective defense?

Answer & reasoning

Answer: Credential stuffing, mitigated most effectively by multi-factor authentication

The attacker used real credentials from one breach to access accounts on other platforms where users reused the same passwords. Multi-factor authentication is the most effective defense because even if the password is correct, the attacker cannot provide the second factor.

Password complexity requirements would not help because the passwords are real, valid passwords that were already in use.

Question 3

A security audit discovers that a web server still supports TLS 1.0 and SSL 3.0 alongside TLS 1.3. An attacker intercepts the connection negotiation and manipulates it so the client and server agree to use SSL 3.0, which has known vulnerabilities.

Which attack type is this?

Answer & reasoning

Answer: Downgrade attack

The attacker interfered with the protocol negotiation to force both parties to use a deprecated, vulnerable protocol version. The connection was downgraded from TLS 1.3 (secure) to SSL 3.0 (broken).

The fix is to disable all deprecated protocol versions on the server. If SSL 3.0 is not supported, it cannot be negotiated regardless of attacker manipulation.

Key Takeaway

The short version:

Password attacks exploit human behavior. Cryptographic attacks exploit mathematical weaknesses. The defense for both is using current standards and adding layers of protection.

For exam day, make sure you can distinguish each attack type cold: salting defeats rainbow tables, MFA defeats credential stuffing, disabling deprecated protocols defeats downgrade attacks, and key length determines cryptographic strength.

Use strong algorithms. Use long keys. Use multiple factors. Disable what you do not need.

Next Module Module 18: Mitigation Techniques and Controls