Password Attacks and MFA
A practical explanation of how credentials are stolen, reused and protected with multi-factor authentication.
Objectives and practical frame
At the end of this module, you will be able to:
- 01
understand brute force, dictionary attacks and credential stuffing
- 02
distinguish 2fa and mfa
- 03
manage backup codes and phone changes
- 04
reject unexpected mfa prompts
- 05
prioritize the most critical accounts
5.1 Why it is important to understand password attacks
This section focuses on why it is important to understand password attacks as part of access protection. The practical question is what prevents a stolen or guessed secret from becoming full account access.
Good protection combines uniqueness, strong factors, secure recovery and habits that do not collapse when a device is lost or a prompt appears unexpectedly.
Password attacks do not only try random combinations: they reuse stolen credentials, exploit dictionaries, phishing, keyloggers and MFA prompts approved by mistake. This module shows why multi-factor authentication reduces risk and how to manage it without dangerous reflexes.
5.1.1 Brute-force attack
This detail focuses on brute-force attack in practical terms: what is being requested, what data or access is involved and what could go wrong if the action is rushed.
The useful habit is to connect details instead of checking them in isolation. Context, channel, timing, destination and consequences provide a clearer picture of risk.
MFA does not remove every risk, but it greatly reduces the damage of stolen passwords when prompts, backup codes and recovery are handled carefully
MFA does not remove every risk, but it greatly reduces the damage of stolen passwords when prompts, backup codes and recovery are handled carefully.
5.1.2 Dictionary attack
This detail focuses on dictionary attack in practical terms: what is being requested, what data or access is involved and what could go wrong if the action is rushed.
The useful habit is to connect details instead of checking them in isolation. Context, channel, timing, destination and consequences provide a clearer picture of risk.
5.1.3 Credential stuffing
This detail focuses on credential stuffing in practical terms: what is being requested, what data or access is involved and what could go wrong if the action is rushed.
The useful habit is to connect details instead of checking them in isolation. Context, channel, timing, destination and consequences provide a clearer picture of risk.
5.1.4 Password spraying
This detail focuses on password spraying as part of access protection. The practical question is what prevents a stolen or guessed secret from becoming full account access.
Good protection combines uniqueness, strong factors, secure recovery and habits that do not collapse when a device is lost or a prompt appears unexpectedly.
5.1.5 Credential phishing
This detail focuses on credential phishing as a form of deception built around context, pressure and a requested action.
The safest response is to read the request as a whole: sender, channel, timing, link, attachment, payment instruction, code request and independent verification path.
5.1.6 Keyloggers
This detail focuses on keyloggers in practical terms: what is being requested, what data or access is involved and what could go wrong if the action is rushed.
The useful habit is to connect details instead of checking them in isolation. Context, channel, timing, destination and consequences provide a clearer picture of risk.
5.1.7 Database breaches
This detail focuses on database breaches as information that needs both protection and proper use.
The practical habit is to check content, hidden details, recipients, permissions and purpose before storing, forwarding or publishing anything sensitive.
5.2 Why a password alone is not always enough
This section focuses on why a password alone is not always enough as part of access protection. The practical question is what prevents a stolen or guessed secret from becoming full account access.
Good protection combines uniqueness, strong factors, secure recovery and habits that do not collapse when a device is lost or a prompt appears unexpectedly.
5.2.1 What two-factor authentication is
This detail focuses on what two-factor authentication is as part of access protection. The practical question is what prevents a stolen or guessed secret from becoming full account access.
Good protection combines uniqueness, strong factors, secure recovery and habits that do not collapse when a device is lost or a prompt appears unexpectedly.
5.2.2 What MFA is
This detail focuses on what mfa is as part of access protection. The practical question is what prevents a stolen or guessed secret from becoming full account access.
Good protection combines uniqueness, strong factors, secure recovery and habits that do not collapse when a device is lost or a prompt appears unexpectedly.
5.2.3 SMS codes
This detail focuses on sms codes in practical terms: what is being requested, what data or access is involved and what could go wrong if the action is rushed.
The useful habit is to connect details instead of checking them in isolation. Context, channel, timing, destination and consequences provide a clearer picture of risk.
5.2.4 Authentication apps
This detail focuses on authentication apps as part of access protection. The practical question is what prevents a stolen or guessed secret from becoming full account access.
Good protection combines uniqueness, strong factors, secure recovery and habits that do not collapse when a device is lost or a prompt appears unexpectedly.
5.2.5 Push notifications
This detail focuses on push notifications in practical terms: what is being requested, what data or access is involved and what could go wrong if the action is rushed.
The useful habit is to connect details instead of checking them in isolation. Context, channel, timing, destination and consequences provide a clearer picture of risk.
5.2.6 Physical security keys
This detail focuses on physical security keys in practical terms: what is being requested, what data or access is involved and what could go wrong if the action is rushed.
The useful habit is to connect details instead of checking them in isolation. Context, channel, timing, destination and consequences provide a clearer picture of risk.
5.2.7 Biometrics
This detail focuses on biometrics as part of access protection. The practical question is what prevents a stolen or guessed secret from becoming full account access.
Good protection combines uniqueness, strong factors, secure recovery and habits that do not collapse when a device is lost or a prompt appears unexpectedly.
5.2.8 Backup codes
This detail focuses on backup codes as part of access protection. The practical question is what prevents a stolen or guessed secret from becoming full account access.
Good protection combines uniqueness, strong factors, secure recovery and habits that do not collapse when a device is lost or a prompt appears unexpectedly.
5.3 Changing phone and MFA
This section focuses on changing phone and mfa as part of access protection. The practical question is what prevents a stolen or guessed secret from becoming full account access.
Good protection combines uniqueness, strong factors, secure recovery and habits that do not collapse when a device is lost or a prompt appears unexpectedly.
5.4 MFA at work
This section focuses on mfa at work as part of access protection. The practical question is what prevents a stolen or guessed secret from becoming full account access.
Good protection combines uniqueness, strong factors, secure recovery and habits that do not collapse when a device is lost or a prompt appears unexpectedly.
5.5 Limits of MFA
This section focuses on limits of mfa as part of access protection. The practical question is what prevents a stolen or guessed secret from becoming full account access.
Good protection combines uniqueness, strong factors, secure recovery and habits that do not collapse when a device is lost or a prompt appears unexpectedly.
MFA does not make you invincible, but it greatly reduces risk.
Approving MFA prompts without reading them.
Store backup codes securely.
MFA account plan
Choose five important accounts and decide which MFA method fits each one: app, hardware key, biometrics, SMS or a business-managed option.
MFA does not remove every risk, but it greatly reduces the damage of stolen passwords when prompts, backup codes and recovery are handled carefully.