user-targeted attacks


Malware may be used by an attacker to enable keylogging and screen-scraping, which can capture text-based user inputs.


Users can be tricked into visiting malicious sites or downloading malicious apps that enable attackers to capture text-based user inputs.


Long-lived credentials and tokens can be intercepted by attackers and later replayed to impersonate the user.


Attackers can physically observe user-based inputs either in-person or via compromised cameras.


Man-in-the-browser attacks can exploit a compromised browser or app to capture text-based user inputs and long-lived session cookies.

service-targeted attacks


Man-in-the-middle attacks can be used to eavesdrop on communications between users and authentication services.

brute force

Brute force attacks can target credential repositories directly or by using a key derivation function.


Dictionary attacks are a specialized form of brute force attack that target common words, phrases, or previously used strings.

rainbow table

Rainbow tables are pre-computed tables for caching the output of cryptographic hash functions used to crack password hashes.

length extension

Length extension attacks inject extra information into "secret : message" pairs to produce a valid hash without knowing the secret.

the dream is real

possiblities abound
no text • no salt • no bi-lateral constraint

easy for users
no text • no biometrics • no hardware

hard for hackers
episodic • multi-lateral • sharded memetic credentials

Created with Mobirise maker