THE ARCHITECTURE
OF A BREACH
There are five ways someone takes your password.
Most of them have nothing to do with how strong it is.
A salaried professional sitting in their office in Bengaluru opens a new tab. They navigate to what looks exactly like the HDFC net banking portal. The domain looks right. The padlock is there.
They type in their Customer ID. They type in a 16-character password—a random string of letters, numbers, and symbols that would take a supercomputer millions of years to crack. Their phone buzzes with an OTP. They enter the 6 digits.
Three minutes later, ₹4,50,000 leaves their account.
They did everything right. Their password was impenetrable. Their phone was in their hand. So how did the money move? Because the security industry has spent two decades selling you a lie about what authentication actually is.
A password is not security. It's proof.
user@system:~$ initiate_login --user "target_01"
Enter password: ****************
> Password strength: MAXIMUM_ENTROPY
> Awaiting 2FA (OTP)...
> ERROR: SESSION HIJACKED BY REVERSE PROXY
> SYSTEM COMPROMISED. IDENTITY STOLEN.
# The lock held. They just walked around the wall.
Stop Asking If It's Strong
When people think about hackers stealing passwords, they imagine a cinematic barrage of code forcefully breaking down a digital door. They ask, "Is my password strong enough to withstand the attack?"
That is the wrong question. No professional adversary sits at a terminal trying to brute-force a strong password character by character. It is mathematically inefficient and incredibly loud. It triggers alarms.
Instead of attacking the password, they attack the human. They attack the infrastructure. They attack the places where you used that exact same password seven years ago.
There are five distinct ways someone takes your digital identity. Only one of them relies on a computer doing math. And the most dangerous one on the list isn't an attack on your password at all.
> STARTING BRUTE_FORCE.EXE...
> TARGET: CORE_VAULT
> HASH_RATE: 2.4 TH/s
> ERR: ENCRYPTION TOO STRONG
Guessing
Guessing is exactly what it sounds like. Manually or automatically attempting the most statistically probable passwords for a specific target.
You don't need a supercomputer to break an account if the user has essentially left the key under the doormat. Attackers don't guess randomly; they guess based on datasets of human psychology.
According to NordPass data on Indian internet users, 123456 was used over 3 lakh times. admin hit 1.18 lakh. And when systems mandate a capital letter, a symbol, and a number? People just pivot to India@123 or bigbasket.
Why does it work? Because humans are fundamentally predictable when told to invent something memorable.
If your password is on that list, you don't have a password. You have a hint.
Password Strength Analyzer
WAITINGNordPass India Dataset Hits
Harvesting (Phishing)
Harvesting bypasses password complexity entirely by tricking the user into handing over their credentials on a fake login page.
Classic phishing involved sending an email that linked to a static, fake login page. You typed your password, the attacker saved it, and logged in later. But with the rise of Two-Factor Authentication (like SMS OTPs), classic phishing broke. A stolen password wasn't enough if the OTP expired in 60 seconds.
Enter Adversary-in-the-Middle (AitM) phishing. Modern attackers use reverse-proxy kits like Evilginx. When you click their link, you are actually talking to the real bank, but through the attacker's server sitting silently in the middle.
When the real bank sends you an OTP, you enter it into the fake site. The proxy instantly passes it to the real bank. The bank authenticates you and issues a highly privileged "Session Cookie". The attacker steals that cookie.
They don't just steal your password. They steal your already-authenticated session. The OTP didn't protect you; it just made you feel secure while you handed over the keys.
Cracking
Cracking happens offline. Attackers steal a database of encrypted passwords (hashes) and use immense computational power to reverse them.
When you sign up for a service, they don't store your actual password. They run it through a one-way math equation called a hashing algorithm (like bcrypt). If hackers breach the server, they get the hashes, not the passwords. They then take those hashes to a rig of highly powerful GPUs and rapid-fire guesses until the math matches.
This is where password length—entropy—actually matters. Every additional character exponentially increases the math required.
ELI5: Hashing is like turning a potato into mashed potatoes. It's easy to do. But if a hacker steals the bowl of mashed potatoes, cracking is the process of trying to perfectly re-assemble the original potato.
Spraying
Spraying flips the guessing model. Instead of trying many passwords against one account, attackers take one highly probable password and try it across thousands of accounts.
Account lockout policies usually freeze you out after 5 failed attempts. Spraying bypasses this completely. The attacker tries Winter2024! exactly one time across 10,000 employee emails. No account hits the 5-attempt limit. No alarms sound. But statistically, 14 of those employees definitely used that password.
This isn't theoretical. In January 2024, the Russian state-sponsored group Midnight Blizzard breached Microsoft's corporate email systems. How? They used a password spray attack against a legacy, non-MFA test account.
If your password could be read off a calendar — it's already been tried.
Credential Stuffing
Stuffing takes passwords stolen from poorly secured websites and automatically injects them into high-value targets like banks and healthcare portals.
In October 2023, the genetics company 23andMe suffered a devastating breach. But hackers didn't break 23andMe's encryption. They took email/password combos leaked from completely unrelated websites over the years and stuffed them into 23andMe's login page.
About 14,000 users had reused their passwords. Because 23andMe had a "DNA Relatives" feature, those 14,000 compromised accounts cascaded, exposing the sensitive ancestral and genetic data of 7 million people. By March 2025, 23andMe filed for bankruptcy.
Under India's new DPDP Act 2023, companies are mandated to report personal data breaches. Credential stuffing makes this a regulatory nightmare, because the company getting breached often did nothing wrong technologically.
23andMe didn't get hacked. Their security was fine. Their customers had reused passwords from sites that weren't.
The most dangerous attack on this table isn't an attack on your password. It's an attack on your memory.
Breach Cascade Timeline — The Lifecycle of a Reused Password
Fitness app breached. Your email + password leaked to darknet forums as part of a massive dump.
Combo list sold on Telegram for ₹500. 50M credentials bundled for script kiddies to use.
Credential stuffed into 23andMe. 14,000 accounts accessed using valid credentials.
DNA Relatives feature cascades exposure. 7 million genetic records leaked via lateral access.
23andMe files for bankruptcy. Your genetic data? Still circulating on the darknet.
Verdict
One password. Seven years. Millions affected.
The Architecture is Broken
Look at the pattern. None of these five methods require breaking a strong password on the front door.
They guess it because you made it easy. They harvest it by asking you for it nicely. They crack it from a database someone else lost. They spray a common word across a whole company. Or they reuse a complex string you set for a pizza delivery app in 2017.
The architecture of password security is structurally broken, not the passwords themselves.
You cannot out-memorize this problem. But you can architect your way out of it.
What Actually Works
Use a Password Manager
Browser built-in managers are convenient but tie your security to the very app you use to browse the wild web. Use a dedicated vault. 1Password is the paid, polished gold standard. Bitwarden offers a rock-solid free tier and is open-source. Proton Pass is highly privacy-forward. Pick one.
Make Every Password Unique
This is the containment principle. If Zomato gets breached tomorrow, the attacker only gets your Zomato password. They cannot stuff that credential into your Gmail or your HDFC account. One leak should never equal a master key.
Lock Down Your Email Hard
Your primary email is the master reset switch for your entire digital life. Lock it down with Passkeys or a hardware security key like the YubiKey 5 NFC (available via Amazon India). SMS-based 2FA is vulnerable to SIM-swapping—a retail outlet employee can be bribed to port your number. Hard keys stop Adversary-in-the-Middle phishing dead in its tracks.
Use an Authenticator App, Not SMS
Move away from SMS OTPs. Use Aegis (open-source, Android) or Ente Auth (made in India, cross-platform, E2E encrypted). Google Authenticator is the default, but historically lacked secure encrypted backups, making phone loss catastrophic.
Audit Your Recovery Options
The recovery system is the security system. If your ultra-secure bank account can be reset by sending an SMS to an old phone number you no longer own, you are not secure. Audit your recovery emails and numbers every six months.
Check Yourself Today
The single highest-leverage thing you can do right now takes two minutes. Go to Have I Been Pwned. Enter your email. It will tell you exactly which corporate breaches your data has appeared in. If you see Indian entities like BigBasket or Domino's on your list, change those reused passwords immediately. Report active localized threats to CERT-In.
Security Assessment
5 real-world scenarios. Test if your password habits would survive an actual attack.
ARE YOU
COMPROMISED?
You've read the five attack methods. Now test whether your actual habits would survive them.
This isn't a knowledge test — it's a behavior audit. Every question maps to a real attack vector you just learned about.
Stop asking “is my password strong?”
Start asking “how many ways are there to become me?”
Most people spend their lives guarding the lock. They never look to see if the door is even attached to the frame.
Shubham Gautam
Principal Consultant, PsyberbullShubham is the founder of Psyberbull. Security is distinct from survival. He helps companies build fortresses, not just check boxes.
>> THREAT PROFILE
- METHODS 5 ATTACK VECTORS
- TARGET HUMAN MEMORY
- CASE STUDY 23ANDME — 7M EXPOSED
- VERDICT ARCHITECTURE FAILURE
IDENTITY IS
THE PERIMETER.
A strong password was never the solution. It was always about containment, unique credentials, and phishing-resistant authentication.
A password is not security. It's proof.