Password attacks remain one of the most common causes of compromised hosting accounts.
Despite advances in server-side security, firewalls, and malware detection, attackers frequently bypass these simply by logging in with stolen user credentials.
For website owners, this can result in the website being defaced, injected with malware or used for phishing attacks.
For resellers, it can mean multiple customer accounts compromised at once and damage to intellectual property and your brands reputation.
Once an account is compromised, further attacks can follow, such as DNS Poisoning and Persistent XSS.
In this post, we’ll explore password attacks and how to defend against them.
Why Password Attacks Are So Effective in Hosting Environments
Hosting platforms expose multiple authentication points by design such as control panels, CMS admin interfaces (e.g. WordPress admin), FTP/SFTP services and webmail portals.
Attackers do not need to find a software vulnerability as seen in ‘traditional’ hacking methods if they can log in with credentials.
Most password attacks are automated, continuous, and opportunistic, scanning the internet for weak credentials at scale.
Common Types of Password Attacks
Brute-Force Attacks
A brute-force attack comprises of an attacker or bot attempting large numbers of password combinations against an authentication point.
Modern attacks are fully automated to maximise attempts in a short window and distributed across many IP addresses to avoid detection.
Attackers rely on probability; short passwords with limited character variation or commonly used passwords dramatically reduces the number of guesses required.
Mitigation
- Long, complex & unique passwords
- Login rate limiting, temporary bans and lockouts
- CAPTCHA or challenge-response mechanisms (StackProtect)
- MFA/2FA (Multi-Factor Authentication/Two-Factor Authentication)
Dictionary Attacks
Dictionary attacks improve efficiency by replacing random guesses with curated password lists.
These lists are frequently updated with the latest common password trends, usually seen in past data breaches.
These lists contain:
- Common passwords (Pa55w0rd, Summer2021! etc)
- Variations of common words
- Real passwords from historic breaches
Attack tools apply transformations (capitalisation, suffixes, special characters) to maximise success. Applying minimal changes to a password (e.g. Password123 to Pa55w0rd123!) will have little effect in mitigating this attack vector.
Mitigation
- Enforce minimum length over complexity rules
- Block known-breached passwords
- Educate users on passphrases
- MFA/2FA
Credential Stuffing
Credential stuffing uses real username/password pairs obtained from third-party breaches. Often, these are leaked from an external service and published on the dark web for illicit actors to abuse.
Due to this, even the strongest passwords fail if reused and because only a single login is attempted, brute-force prevention methods fail.
Mitigation
- Unique passwords per account
- MFA/2FA
- Access Control Lists (ACL)
- Forced password resets after breach exposure
Password Spraying
Instead of attacking one account repeatedly, attackers will choose one or two common passwords and attempt them across many accounts. This is particularly affective against mailboxes and allows the attempts to stay below lockout thresholds, being more inconspicuous than brute-force attacks.
This is particularly effective where shared password habits and weak enforcement of password uniqueness is present.
Mitigation
- Detect failed attempts across accounts
- Enforce strong password policies
- MFA/2FA
- Monitoring at the platform level
Phishing Attacks
Phishing bypasses technical security by exploiting user trust and gaining legitimate credentials through coercion or social engineering.
Steps typically involve an attacker curating a fake login page that looks and acts identical to the legitimate target. They will then send out phishing emails to victims en masse to trick users into entering their credentials into the illicit site.
The illicit website sends the credentials to the attacker, who will then use them to log into the legitimate site. Email and password combinations will also be used across different services to chance the victim reusing credentials.
Mitigation
- User awareness and training on phishing
- MFA (prevents reuse of stolen credentials)
- Domain and certificate verification habits
Malware-Based Credential Theft
Malware is installed on a user’s device through phishing or other means. Typical malware will record keystrokes, steal saved browser passwords and hijack authenticated sessions. Credentials are captured before encryption or hashing takes place.
Mitigation
- Endpoint security and patching
- MFA/2FA
- Limit credential reuse across environments
Hash-Based Attacks
If attackers obtain a password database, the passwords are usually in a hashed form and useless. Cryptographic hashes are designed to be a one-way function, meaning there is no way to reverse a hash back into its plaintext, usable form. Hashing alone always generates the same hash value for a specific password.
Instead, attackers will utilise rainbow tables, which are large databases containing passwords and their known hash values. They will then compare hashes against their known values and use the plaintext password to access accounts. Alternatively, attackers can use passwords to generate hashes on the fly and compare the hashed values to the stolen password hashes.
With advancements in technology, tools can crack password hashes at faster rates each year. It is impossible to provide consistent times for each password due to variables like what hashing algorithm or hardware is used.
The below table gives a rough idea of just how easy it can be.
Mitigation
- Slow, adaptive password hashing algorithms, such as Bcrypt
- Salting
- Strong password policies
- MFA/2FA
Salting is the process of adding unique random values to a password before hashing. This changes the resulting hash even if two users choose an identical password.
With salting, identical passwords produce different hashes, which renders precomputed rainbow tables become useless. Attackers would need a separate table for each salt value which is unfeasible in most cases.
Tracking Compromised Data
Monitoring services that scan breach databases for stolen content are available online, such as Have I Been Pwned?.
This service collects and analyses thousands of database dumps containing leaked account information and allows users to search for their own information by entering their email address.
Reports include the company that leaked the data, what data was leaked and the date of the incident.
Why MFA Changes the Threat Landscape
Multi-factor authentication introduces a second requirement that adds an extra layer of security to accounts. This is often categorised as something you have (authenticator app, hardware token) or something you are (biometrics).
This means stolen passwords alone are insufficient, automated attacks fail at the second step and credential reuse becomes irrelevant.
For resellers, MFA can be the difference between one compromised login and dozens of affected customers.
Condisder enabling MFA/2FA on your account today.
Special Considerations for Resellers & Agencies
Reseller accounts represent a higher-value target because they often control multiple hosting environments, have elevated privileges and are reused across internal systems.
Best practices include:
- MFA on all reseller and admin-level accounts
- Strict application of the principle of least privilege
- Separate credentials per service
- Regular access reviews and audits
Final Thoughts
Password attacks are constant, automated and relentless with compromises occurring through authentication, not software exploits. Regardless of how good server security is, password attacks are still a monumental threat.
Modern prevention relies on strong, complex and unique passwords coupled with MFA. Active measures like auditing and frequently updating passwords is imperative to keeping existing accounts secure.
