Password Guessing — Detailed Explanation, Examples, and Defensive Guidance
======================================================================

What “password guessing” means
——————————
Password guessing is the broad category of attacks where someone attempts to authenticate
by trying passwords they believe a user might have chosen. Unlike exploiting a software
vulnerability, password guessing targets human behavior: weak passwords, predictable
patterns, and password reuse.

This can be done against:
– Interactive logins (Windows sign-in, VPN, email portals, web apps)
– Remote services (RDP gateways, SSH on non-Windows systems, SaaS logins)
– “Offline” password material (password hashes captured from a database, AD dump, etc.)
where guesses can be tested without hitting the live login system.

Why password guessing works
—————————
It succeeds when at least one of these is true:
– Users choose weak passwords (common words, short strings, simple patterns)
– Users choose predictable passwords (SeasonYear!, CompanyName123!, etc.)
– Passwords are reused across systems (breach from Site A works on System B)
– Controls are missing/weak (no MFA, poor rate-limiting, no monitoring)

Common types of password-guessing attacks
—————————————–

1) Brute-force guessing (online)
– Tries many possible passwords for a small number of accounts.
– Risky for the attacker because repeated failures often trigger lockouts and alerts.
Conceptual example:
– Repeated login failures for ONE username, increasing in frequency or volume.

2) Dictionary guessing (online)
– Tries a list (“dictionary”) of commonly used passwords rather than all combinations.
– Much faster than pure brute force, still often detected if targeted at one account.
Conceptual example:
– A small set of top passwords tried against a single account until blocked.

3) Targeted guessing (a.k.a. “educated guesses”)
– Uses information about the person or organization to guess likely passwords:
birthdays, pet names, sports teams, company name, slogans, seasons, years, etc.
Conceptual example patterns attackers often bet on:
– CompanyOrBrand + Year + symbol (e.g., “Brand2026!”-style)
– Season + Year + symbol (e.g., “Winter2026!”-style)
– Simple substitutions (a->@, o->0) and capitalization patterns

4) Password spraying (online)
– Tries a SMALL number of common passwords across MANY accounts.
– Designed to avoid lockouts by keeping failures per account low.
Conceptual example:
– 1–2 failed logins each across hundreds of users from the same IP range.

5) Credential stuffing (online, but not pure “guessing”)
– Uses known leaked username/password pairs from breaches and tries them elsewhere.
– Works when users reuse passwords across sites.
Conceptual example:
– Login attempts for many accounts where the password appears correct for a subset
shortly after a public breach or credential dump circulates.

6) Offline password guessing (hash cracking)
– If an attacker steals password hashes (from a breached database or compromised host),
they can test guesses locally without lockouts or rate limits.
– This is often the most dangerous scenario because defenses like account lockouts
don’t apply; strength depends heavily on hashing methods and password complexity.
Conceptual example:
– A breach report mentions “hashed passwords were exposed”—risk depends on hashing
algorithm, salting, and password strength.

Concrete-but-safe examples (non-operational)
——————————————–
These examples describe what defenders typically observe, without providing instructions
to carry out an attack.

Example A: Online brute-force on a single account
– Signal: One user account shows many consecutive failures in a short time window.
– Outcome: Account lockout or alert triggers; attacker may move on or try another account.

Example B: Dictionary guessing on a public login portal
– Signal: The same source repeatedly fails for a small group of accounts using very
common passwords (inferred from repeated failure patterns, user agent, and timing).
– Outcome: Throttling / WAF / conditional access blocks the source.

Example C: Targeted guessing after OSINT
– Signal: Attempts cluster around a specific user (executive/admin) and follow timing
related to life events (e.g., new year, seasonal change, recent company rebrand).
– Outcome: If the user’s password is predictable, attacker gets a foothold.

Example D: Password spraying in an enterprise
– Signal: A broad “low-and-slow” pattern where many distinct users each get 1–3 failures,
followed by a small number of successes.
– Outcome: Attacker gains access to one or two weakly protected accounts and escalates
from there.

Example E: Credential stuffing after a third-party breach
– Signal: A spike in login attempts for many users, often with a subset succeeding
quickly; may align with known breach/news.
– Outcome: Compromised accounts appear across different services due to password reuse.

Windows / Active Directory environment notes
——————————————–
In Windows-centric enterprises, guessing attempts often focus on:
– VPN authentication tied to AD
– Outlook Web App / Exchange sign-in
– AD FS / SSO portals
– RD Gateway / externally exposed remote access
– Other web apps that authenticate against AD/LDAP/SAML

What defenders typically see (high-level indicators)
—————————————————-
– Repeated failures for one account (brute-force/dictionary)
– Low failure counts spread across many accounts (spraying)
– Authentication attempts from unusual geographies or ASNs
– Unfamiliar devices, user agents, or “impossible travel” patterns
– Successes occurring immediately after broad failures
– Targeting of privileged accounts, service accounts, or accounts without MFA

How to prevent and mitigate password guessing
———————————————

1) Enforce MFA (strongest single control)
– Require MFA for remote access, email, admin roles, and high-risk sign-ins.
– Prefer phishing-resistant MFA for privileged users where possible.

2) Improve password quality
– Use long passphrases (length beats complexity alone).
– Block common passwords using deny lists (common-password ban).
– Discourage predictable patterns (SeasonYear!, CompanyName123!, etc.).
– Prohibit password reuse across systems (policy + technical controls).

3) Rate limiting and smart lockout
– Throttle repeated failures by IP/device/geo rather than only per-account.
– Use risk-based access policies (conditional access, identity protection).
– Avoid overly aggressive lockouts that attackers can exploit for denial-of-service,
but ensure defensive throttles exist.

4) Reduce attack surface
– Restrict or harden internet-exposed authentication points (VPN, OWA, RD Gateway, AD FS).
– Disable legacy authentication protocols where possible.
– Put critical portals behind additional controls (device compliance, network location,
WAF, or zero trust access brokers).

5) Monitoring and alerting
– Alert on:
– high failure rates for a single account
– many accounts failing from the same source (spray signature)
– success after many failures, especially for sensitive apps
– Correlate logs across:
– Domain controllers, VPN, OWA/Exchange, AD FS/SSO, endpoints, and SIEM

6) Harden privileged and service accounts
– MFA + strict conditional access
– Separate admin accounts (no email/web browsing on admin identities)
– Limit service account interactive logon; use managed identities where possible
– Regularly review stale accounts and disable those not needed

Quick summary
————-
Password guessing includes multiple techniques (brute force, dictionary, targeted guessing,
spraying, credential stuffing, and offline guessing of stolen hashes). In Windows/AD
environments, strong MFA, banned-password lists, smart throttling, reduced exposure of
remote access portals, and good detection/correlation are the most effective defenses.