Online password attacks

binsec academy GmbH Pentest Training Hacking

Network services typically authenticate users using a combination of username and password. If the existence of a user is known or can be determined, an attacker can attempt to guess the corresponding password through repeated login attempts.

In contrast to offline attacks, verification is performed directly against the target service. Each attempt generates a real authentication request that must be processed by the service. The attacker is therefore fully bound to the characteristics and responses of the target system.

Process and Strategies

A typical online password attack follows a structured approach:

  1. User Identification (Enumeration):
    First, a valid username is identified. This can be achieved through publicly available information, differences in system error messages (e.g., “user does not exist”), or targeted enumeration techniques.

  2. Selecting an Attack Strategy:
    Depending on the target system and constraints, different approaches can be applied:

  3. Dictionary Attack:
    Uses lists of commonly used or previously leaked passwords (e.g., rockyou.txt). This significantly reduces the search space and represents the most common approach in practice.

  4. Brute-Force Attack:
    Systematic testing of all possible character combinations. Due to limited request rates, this is usually only feasible online for very short or restricted password spaces.

  5. Password Spraying:
    A specialized technique where a single common password (e.g., Winter2024!) is tested against many different usernames. This helps avoid account lockout mechanisms, as only a small number of failed attempts is generated per account.

Tools and Practice

A commonly used tool for automating such attacks is Hydra. It enables systematic login attempts against various protocols such as SSH, FTP, RDP, or HTTP.

In practice, however, the tool itself is less important than the combination of valid usernames, suitable password lists, and a strategy adapted to the target system’s protection mechanisms. In penetration tests, this approach is used to evaluate the effectiveness of password policies as well as detection and protection mechanisms.

Limiting Factors and Defensive Measures

The effectiveness of online password attacks is significantly constrained by several factors:

  • Technical Latency:
    Network delays limit the number of possible requests per second (typically only a few attempts per second compared to offline attacks).

  • Rate Limiting and Tarpitting:
    Services restrict the number of requests or deliberately increase response times after repeated failures to slow down automated attacks.

  • Account Lockout:
    Systems temporarily or permanently lock accounts after a defined number of failed login attempts.

  • Multi-Factor Authentication (MFA):
    Even if the correct password is guessed, authentication fails without the second factor. This is one of the most effective protective measures.

Conclusion

Compared to offline scenarios, online password attacks are significantly less efficient and, due to their direct interaction with the target system, relatively easy to detect. Their success largely depends on the quality of the chosen passwords and the absence of effective protection mechanisms.

In penetration testing, they primarily serve as an indicator of weak credentials and insufficient implementation of basic security controls such as rate limiting or account lockout mechanisms.

Sub Articles

Pentest Training

Take a look at the pentest training chapters and learn penetration testing:

  1. Preface
  2. Introduction
  3. Legal Framework
  4. Hacking vs. Penetration Testing
  5. Classification
  6. Meaningfulness of Penetration Tests
  7. Penetration Testing Standards
  8. The Hacking Guide
  9. Demonstration of a Penetration Test
  10. Risk Assessment of Identified Vulnerabilities
  11. Structure of Documentation and Reporting
  12. Insider stories: Tales from Dubius Payment Ltd.

binsec academy GmbH - Online IT Security Training with Practical Focus

binsec academy GmbH is provider of online IT security training, offering practical, lab-based courses for professionals. The academy provides hands-on training in areas such as penetration testing and secure software development. Participants gain practical experience through realistic lab environments, including simulations of company networks and applications. Courses are available in multiple programming languages and align with standards like OWASP Top 10 and PCI DSS. Upon successful completion, participants receive certifications such as the Binsec Academy Certified Pentest Professional (BACPP) and Binsec Academy Certified Secure Coding Professional (BACSCP), demonstrating their ability to identify and remediate security vulnerabilities.

Goto binsec acadmy GmbH

binsec GmbH – Experts in Penetration Testing

binsec GmbH is a German IT security company focused on professional penetration testing. With over 10 years of experience, the team conducts in-depth penetration tests on networks, web applications, APIs, and mobile apps. Certified experts systematically identify and document security vulnerabilities to support organizations in improving their security and meeting compliance requirements.

Goto binsec GmbH

Contact

binsec GmbH
Clemensstraße 6-8
60487 Frankfurt am Main
Germany

M

info@binsec.com

T

+49 69 2475607-0

Legal notice

Director: Patrick Sauer
Authorized Officer: Dominik Sauer, Florian Zavatzki
Registration: Frankfurt am Main, HRB97277
Turnover Tax Identification No.: DE290966808

© 2026 All rights reserved by binsec GmbH.

Privacy Notice

© 2026 All rights reserved by binsec GmbH.

Privacy Notice