Introduction
Understanding how attackers compromise accounts is the first step to defending against them. This guide breaks down the most common account attack methods and shows you exactly which defenses stop which attacks.
We’ll walk through the attacker’s perspective: what they try, what works, and what stops them cold. Whether it’s physical access, social engineering, database breaches, or malware, you’ll see how password managers and 2FA block these attacks at different stages.
For practical implementation guidance on creating strong passwords and setting up security tools, see our companion guide: Password Security Best Practices in 2025.
How It Works
Password attacks aren’t random. Attackers follow systematic methods to steal credentials, and they know which defenses to expect. Understanding this attack/defense landscape helps you prioritize your security investments.
The attack surface:
Passwords can be compromised through four main vectors:
- Physical access: Direct observation or theft of written passwords
- Social engineering: Tricking you into revealing passwords
- Database breaches: Stealing password hashes from compromised services
- Malware: Software that records keystrokes or intercepts passwords
Each attack method has different success rates depending on your defenses. A password manager stops some attacks completely but does nothing against others. 2FA acts as the final gate that blocks attackers even when they have your password.
Attack vectors and defense layers:
graph TD
%% Attack methods on same line
PHYS[Physical access<br/>Look for passwords]:::infoNode
SOCIAL[Social engineering<br/>Phishing, fake IT calls]:::infoNode
BREACH[Database breach<br/>Website hacked]:::infoNode
MALWARE[Install malware<br/>Keylogger, MITM]:::infoNode
subgraph Attacker chooses method; PHYS; SOCIAL; BREACH; MALWARE; end
%% Physical - depends on what's visible
PHYS --> PHYS_CHECK{Visible passwords?}:::neutralNode
PHYS_CHECK -->|Post-its, notebooks| GOT_PW[Password obtained]:::dangerNode
PHYS_CHECK -->|Password manager used| PHYS_FAIL[Attack fails<br/>No visible passwords]:::successNode
%% Malware - depends on auto-fill
MALWARE --> MAL_CHECK{Auto-fill in use?}:::neutralNode
MAL_CHECK -->|Typed passwords| GOT_PW
MAL_CHECK -->|Password manager| MAL_FAIL[Attack fails<br/>Keylogger bypassed]:::successNode
%% Social always works
SOCIAL --> GOT_PW
%% Database breach - password cracking
BREACH --> CRACK{Password type?}:::neutralNode
CRACK -->|Common/Dictionary/Short<br/>password123, P@ssw0rd, aB3$xK9m| CRACK_FAST[Password cracked<br/>Seconds to hours]:::dangerNode
CRACK -->|Long 16+ unique per site<br/>correct-horse-battery-staple| CRACK_SLOW[Password cracked eventually<br/>Isolated to one site]:::warningNode
CRACK_FAST --> GOT_PW
CRACK_SLOW --> GOT_PW
%% Try login
GOT_PW --> LOGIN[Attacker attempts login]:::infoNode
%% 2FA final defense
LOGIN --> TFA{2FA enabled?}:::neutralNode
TFA -->|No 2FA| COMPROMISED[Account compromised]:::dangerNode
TFA -->|Hardware/App| BLOCKED[Attack blocked]:::successNode
TFA -->|SMS| EVENTUALLY_COMPROMISED[Partial protection<br/>SIM swap risk]:::warningNode
%% Custom styles
classDef infoNode fill:#93c5fd,stroke:#2563eb,stroke-width:2px,color:#1e3a8a
classDef dangerNode fill:#ef4444,stroke:#b91c1c,stroke-width:2px,color:#fff
classDef successNode fill:#10b981,stroke:#047857,stroke-width:2px,color:#fff
classDef warningNode fill:#f59e0b,stroke:#d97706,stroke-width:2px,color:#fff
classDef neutralNode fill:#6b7280,stroke:#374151,stroke-width:2px,color:#fff
The diagram shows password security from an attacker’s perspective. Follow the paths to see how different defenses stop different attacks:
- Attacker picks a method: Physical access, social engineering, database breach, or malware
- Your defenses determine the outcome:
- Physical access fails if you use a password manager (no visible passwords)
- Malware fails if you use password manager auto-fill (keylogger bypassed)
- Social engineering always gets the password (humans are the weak link)
- Database breach outcome depends on password strength and uniqueness
3. Password cracking stage: Fast for weak/common passwords, slow for long unique ones
4. Final defense - 2FA: Even if attacker has your password, 2FA blocks account access
Key insight: Notice how multiple attacks lead to “Password obtained” - but 2FA is the final gate. Even if your password leaks, 2FA stops the attacker from logging in.
Attack Method Breakdown
Physical Access Attacks
How it works: Attacker gains physical access to your workspace and looks for written passwords.
Common scenarios:
- Post-it notes on monitors
- Password notebooks in desk drawers
- Passwords taped under keyboards
- Unattended unlocked computers
Defense effectiveness:
| Defense | Effectiveness | Why |
|---|---|---|
| Password Manager | ✅ Complete | No written passwords to find |
| Screen Lock | ✅ Complete | Can’t access unlocked computer |
| Privacy Screen | ⚠️ Partial | Hides screen from shoulder surfing |
| 2FA | ✅ Complete | Password alone isn’t enough |
What stops it: Using a password manager eliminates the need to write passwords down. Even if someone sees your password, 2FA stops them from logging in.
Social Engineering Attacks
How it works: Attacker tricks you into revealing your password through psychological manipulation.
Common scenarios:
- Phishing emails with fake login pages
- Phone calls pretending to be IT support
- Fake password reset requests
- “Verify your account” scams
Defense effectiveness:
| Defense | Effectiveness | Why |
|---|---|---|
| Password Manager | ⚠️ Partial | Generated passwords hard to speak aloud |
| Domain Verification | ⚠️ Partial | User must notice fake domain |
| Hardware 2FA | ✅ Complete | Hardware keys verify legitimate domain |
| App 2FA | ⚠️ Partial | TOTP can be phished but expires quickly |
What stops it: Social engineering bypasses password security entirely. Hardware security keys (like YubiKey) are the only defense that verifies the domain automatically. App-based 2FA helps because codes expire, but can still be phished.
Database Breach Attacks
How it works: Attacker hacks a website and steals the password database, then cracks the hashed passwords offline.
Common scenarios:
- Major service breach (LinkedIn, Adobe, Dropbox)
- Small site with weak security
- SQL injection attack
- Insider theft
Password cracking timeline:
| Password Type | Crack Time | Example |
|---|---|---|
| Common passwords | < 1 second | password123, qwerty, admin |
| Dictionary + substitution | Minutes | P@ssw0rd, h3ll0w0rld |
| Short random (8 chars) | Hours to days | aB3$xK9m |
| Long unique (16+ chars) | Centuries | correct-horse-battery-staple |
Defense effectiveness:
| Defense | Effectiveness | Why |
|---|---|---|
| Unique Passwords | ✅ Complete | Breach isolated to one site |
| Long Passwords (16+) | ✅ Complete | Crack time exceeds attacker resources |
| Password Manager | ✅ Complete | Generates long, unique passwords |
| 2FA | ✅ Complete | Cracked password still can’t login |
What stops it: Long, unique passwords per site. Even if one site is breached, attackers can’t use that password elsewhere. 2FA stops them from using cracked passwords.
Malware Attacks
How it works: Attacker installs malware on your device that records passwords as you type them.
Common scenarios:
- Keyloggers that record every keystroke
- Screen capture trojans
- Man-in-the-middle attacks on network traffic
- Clipboard hijacking
Defense effectiveness:
| Defense | Effectiveness | Why |
|---|---|---|
| Password Manager Auto-fill | ✅ Complete | Bypasses keylogger (no typing) |
| Antivirus | ⚠️ Partial | Detects known malware only |
| HTTPS | ✅ Complete | Encrypts network traffic |
| 2FA | ✅ Complete | TOTP codes expire quickly |
What stops it: Password manager auto-fill bypasses keyloggers completely since you never type the password. Even if malware captures the password, 2FA codes expire in 30 seconds.
Defense Layer Comparison
Understanding which defenses stop which attacks helps you prioritize your security investments.
| Attack Method | How It Works | Without Protection | With Password Manager | With 2FA |
|---|---|---|---|---|
| Post-it Notes | Physical theft of written passwords | ❌ Password stolen | ✅ No written passwords needed | ✅ Still need second factor |
| Shoulder Surfing | Watching you type passwords | ❌ Password visible | ✅ Auto-fill hides typing | ✅ TOTP codes change every 30s |
| Phishing Emails | Fake login pages steal credentials | ❌ You type password into fake site | ⚠️ Might detect wrong domain | ✅ Hardware keys verify domain |
| SMS Interception | SIM swap or SS7 attack | ❌ Attacker gets reset code | ✅ Reduces reliance on SMS | ⚠️ SMS 2FA compromised |
| Phone Theft | Stolen unlocked phone | ❌ Access to saved passwords | ✅ Master password required | ✅ Can’t access without 2FA device |
| Email Compromise | Attacker controls email inbox | ❌ Can reset all passwords | ⚠️ Still vulnerable to resets | ✅ Can’t complete reset without 2FA |
| Keyloggers/Trojans | Malware records keystrokes | ❌ All typed passwords stolen | ✅ Auto-fill bypasses keylogger | ✅ TOTP expires quickly |
| Man-in-the-Middle | Intercepts network traffic | ❌ Password captured over HTTP | ✅ HTTPS + auto-fill helps | ✅ Session tokens harder to reuse |
| Social Engineering | Tricking you into revealing password | ❌ You give password away | ⚠️ Generated passwords hard to speak | ✅ Can’t bypass 2FA by phone |
| Database Breach | Website hacked, passwords leaked | ❌ Reused = all accounts compromised | ✅ Unique per site = isolated breach | ✅ Old passwords useless |
Key insight: Password managers stop password reuse. 2FA stops password theft. Together, they block most attack vectors.
Best Practices
1. Use a Password Manager
Why: Stops physical access, keyloggers, and credential reuse attacks.
How it helps:
- Generates long, random passwords automatically
- Auto-fill bypasses keyloggers
- No written passwords lying around
- Unique password per site isolates breaches
Available options (all solid choices):
- Bitwarden - Open source, free tier, self-hostable
- 1Password - User-friendly, family plans, travel mode
- Dashlane - VPN included, dark web monitoring
- KeePassXC - Fully offline, open source, no cloud
- LastPass - Free tier, established platform
- Proton Pass - Privacy-focused, from Proton Mail team
- Apple Keychain - Built into macOS/iOS, seamless integration
- Google Password Manager - Built into Chrome/Android, zero setup
Choose based on your needs: cross-platform support, self-hosting, privacy focus, or convenience. Any password manager is better than reusing passwords.
Setup checklist:
- Enable master password (20+ characters)
- Enable 2FA on the password manager itself
- Set up emergency access for trusted contacts
- Use auto-generated passwords (16-32 characters)
2. Enable 2FA Everywhere
Why: The final defense that blocks attackers even with your password.
Method comparison:
| Method | Security | Phishing Resistant | Best For |
|---|---|---|---|
| Hardware Keys (YubiKey) | Highest | ✅ Yes | High-value accounts |
| Authenticator Apps | High | ⚠️ TOTP can be phished | Most accounts |
| SMS Codes | Low | ❌ SIM swap vulnerable | Last resort only |
Priority order:
- Email (protects password resets)
- Banking and financial
- Work accounts
- Social media
- Everything else
3. Understand Your Threat Model
Individual users:
- Primary threat: Phishing and database breaches
- Focus: Password manager + authenticator app 2FA
- Cost: Free
High-value targets (executives, journalists):
- Primary threat: Targeted attacks and social engineering
- Focus: Hardware keys + hardware-encrypted password vaults
- Cost: $50-200 for hardware
Organizations:
- Primary threat: Insider threats and targeted attacks
- Focus: SSO + hardware keys + endpoint security
- Cost: $3-10 per user/month
4. Check for Breaches Regularly
Why: Know when your passwords are compromised before attackers use them.
How:
- Visit haveibeenpwned.com quarterly
- Enable breach notifications in your password manager
- Set up alerts for suspicious login attempts
Action plan when breached:
- Change password immediately
- Check for unauthorized account activity
- Review connected apps and revoke suspicious ones
- Enable 2FA if not already active
Common Pitfalls
Reusing Passwords Across Sites
The problem: One breach compromises all accounts.
Why it’s dangerous: Attackers test breached credentials on every major service. When LinkedIn was breached in 2012, attackers tried those passwords on banks, email providers, and corporate VPNs.
The fix: Password manager with unique passwords per site.
Using SMS for 2FA
The problem: SIM swap attacks bypass SMS 2FA.
How it works: Attacker convinces mobile carrier to transfer your number to their SIM card. Now they receive your 2FA codes.
The fix: Use authenticator apps or hardware keys instead.
Trusting Password Reset Links
The problem: Phishing emails disguised as legitimate password resets.
How to spot them:
- Check sender email carefully (paypa1.com vs paypal.com)
- Hover over links before clicking
- Go directly to site instead of clicking email links
The fix: Bookmark important sites, never click email links.
Storing Passwords in Browser
The problem: No master password protection on most browsers.
Why it’s risky: Anyone with physical access can view stored passwords. Malware can extract them easily.
The fix: Use a dedicated password manager with master password + 2FA.
Quick Reference Checklist
Defending against password attacks:
- Use password manager (stops keyloggers, physical access, reuse)
- Enable 2FA on email first (protects password resets)
- Hardware keys for high-value accounts (stops phishing)
- Authenticator apps for everything else (better than SMS)
- Check haveibeenpwned.com quarterly (detect breaches early)
- Never write passwords down (eliminates physical risk)
- Use auto-fill instead of typing (bypasses keyloggers)
Understanding your risk:
- Physical access: Lock screen, use password manager
- Social engineering: Hardware 2FA keys
- Database breach: Long, unique passwords
- Malware: Password manager auto-fill + 2FA
If you’re breached:
- Change password immediately
- Review account activity
- Enable 2FA
- Check for connected apps
Standards and References
- NIST SP 800-63B - Digital Identity Guidelines
- OWASP Authentication Cheat Sheet - Security best practices
- haveibeenpwned.com - Check for compromised credentials
- MITRE ATT&CK: Credential Access - Enterprise attack techniques
Summary
Password security is about layers. Each defense stops specific attacks, but no single defense stops everything.
The layered approach:
- Password manager: Stops physical access, keyloggers, and password reuse
- Long, unique passwords: Makes database breach cracking impractical
- 2FA: Final gate that stops attackers even with your password
- Awareness: Understanding attacks helps you avoid social engineering
What stops what:
- Physical attacks → Password manager (no visible passwords)
- Social engineering → Hardware 2FA keys (domain verification)
- Database breaches → Long, unique passwords (isolated + uncrackable)
- Malware → Password manager auto-fill (bypasses keyloggers)
No defense is perfect, but combining password managers with 2FA blocks most real-world account attacks. For more on creating strong passwords and choosing the right tools, see our Password Security Best Practices guide.