Malware may be used by an attacker to enable keylogging and screen-scraping, which can capture text-based user inputs.
Users can be tricked into visiting malicious sites or downloading malicious apps that enable attackers to capture text-based user inputs.
Long-lived credentials and tokens can be intercepted by attackers and later replayed to impersonate the user.
Attackers can physically observe user-based inputs either in-person or via compromised cameras.
Man-in-the-browser attacks can exploit a compromised browser or app to capture text-based user inputs and long-lived session cookies.
Man-in-the-middle attacks can be used to eavesdrop on communications between users and authentication services.
Brute force attacks can target credential repositories directly or by using a key derivation function.
Dictionary attacks are a specialized form of brute force attack that target common words, phrases, or previously used strings.
Rainbow tables are pre-computed tables for caching the output of cryptographic hash functions used to crack password hashes.
Length extension attacks inject extra information into "secret : message" pairs to produce a valid hash without knowing the secret.
no text • no salt • no bi-lateral constraint
easy for users
no text • no biometrics • no hardware
hard for hackers
episodic • multi-lateral • sharded memetic credentials