Password Attack Racer · Lab · Rolling Thunder Security

Password security feels like it should be a fight between "longer is stronger" and Moore's law. In practice, the password you pick interacts with how it's stored and whether it's been seen before — and those two factors determine which attack wins.

Pick a password, a storage method, and whether to assume the user has reused this password somewhere that leaked. Click Race. Four attackers run in parallel against your choices. The bar that finishes first is the threat you should actually be defending against.

Password to defend

Server storage

Has this password been in a leak?

Target profile

Entropy

Brute force · GPU farm

queued

Dictionary + rules

queued

Credential stuffing

queued

Rainbow tables

queued

Reading the results

The four attacks have wildly different cost models. Knowing which wins under which conditions is the whole point of this lab:

Brute force is a function of (a) password keyspace and (b) hash speed. A fast hash (MD5, SHA-256 unsalted) lets a single high-end GPU try billions of guesses per second. A slow KDF (bcrypt, Argon2) brings that down by 5-7 orders of magnitude. Strength is real here, but a 14-character random password beats a 7-character random password not by a little but by trillions.
Dictionary attacks ignore keyspace entirely — they only try plausible passwords. Password1, summer2024, iloveyou all fall in seconds regardless of how strong the entropy calculator thought they were.
Credential stuffing doesn't crack passwords at all. It takes credentials that already leaked from other breaches and tries them on your site. The password's strength is irrelevant. If your user picked Tr0ub4dor&3 and used it on a site that got breached in 2019, the attacker just types it in.
Rainbow tables are precomputed hash → password lookups. They die instantly against any password that's salted properly — which is why every modern hash includes a salt. They're a museum exhibit, not a current threat, unless you're storing unsalted MD5 in 2026 (please don't).

The defenses, ranked

If you internalize one ranking from this lab, make it this one. From highest leverage to lowest:

1. Don't use passwords. Passkeys (FIDO2/WebAuthn) eliminate every attack on this page in one move. See the Passkey vs Password Phishing lab.
2. Block known-breached passwords at registration. Compare to the HIBP "Pwned Passwords" k-anonymity API. Stops credential stuffing before the password exists in your database.
3. Require MFA. Specifically: phishing-resistant MFA (passkey, hardware key). SMS and TOTP help against credential stuffing but fall to phishing.
4. Use a modern KDF. Argon2id, bcrypt cost >=12, or scrypt. The KDF is the single technical lever that kills brute force.
5. Salt and pepper. Salts kill rainbow tables. Peppers (server-side secret) add another layer against database-only breaches.
6. Rate limit and detect. Online attacks (where the attacker hits your real login page) are slow and detectable. Lock accounts after N failed attempts; alert on impossible-travel signals.
7. Educate on length. A long passphrase is genuinely better than a short complex password. correct horse battery staple outperforms P@ssw0rd!.

NIST 800-63B perspective. Modern guidance no longer recommends periodic password rotation, complexity rules, or "must contain a special character." It recommends checking against breach lists, allowing long passphrases, removing forced rotation, and offering MFA. The lab above is largely the explanation for why those changes happened.

The point

Most "strong password" advice defends against the attack that's no longer winning. The dominant password attack in 2026 is credential stuffing — reusing credentials already in the breach corpus. Strength buys you nothing if the password is on the list.

The single highest-leverage defenses are blocking known-breached passwords, requiring phishing-resistant MFA, and moving to passkeys. A modern KDF is necessary; alone it is not sufficient. Stack the defenses, and the racer above can't finish at all.

References

Formatted in APA 7. Alphabetized by first author's last name.

Biryukov, A., Dinu, D., & Khovratovich, D. (2016). Argon2: New generation of memory-hard functions for password hashing and other applications. 2016 IEEE European Symposium on Security and Privacy. https://doi.org/10.1109/EuroSP.2016.31
Grassi, P. A., Fenton, J. L., Newton, E. M., Perlner, R. A., Regenscheid, A. R., Burr, W. E., Richer, J. P., Lefkovitz, N. B., Danker, J. M., Choong, Y.-Y., Greene, K. K., & Theofanos, M. F. (2017). Digital identity guidelines: Authentication and lifecycle management (NIST Special Publication No. 800-63B, Rev. 3). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-63b
Hunt, T. (n.d.). Have I Been Pwned: Pwned Passwords. https://haveibeenpwned.com/Passwords
OWASP Foundation. (n.d.). Password storage cheat sheet. https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
Provos, N., & Mazières, D. (1999). A future-adaptable password scheme. USENIX Annual Technical Conference.