Weak passwords & brute-force attacks - a step-by-step debrief of the demo you just watched, and exactly how to defend your business.
What this attack looked like
The attacker opened the company's real-looking login page and pointed an automatic program at it.
The program tried a ready-made list of the most common passwords - one after another, faster than any human could type. Each wrong guess showed FAILED.
The portal never stopped it: there was no limit on how many wrong guesses were allowed.
Within seconds it tried "admin123" - a password near the top of every attacker's list - and got PASSWORD CRACKED.
The attacker was instantly inside the admin dashboard, looking at staff salaries, PAN numbers, customer lists and bank details.
The same program then ran against a strong password on a properly protected portal - and the account was LOCKED after 5 tries. The attack failed completely.
Red flags - how to spot it
A short, common, guessable password (a name, a word, "123", a default like "admin123").
The same password reused across email, banking, GST portal and social media.
Logins with no limit on failed attempts and no second step (OTP / two-factor).
A sudden burst of "wrong password" notifications, or login alerts from unknown devices / cities.
Being told your email appears in a known data breach, but never changing the password.
Best practices - prevention
For every person (passwords)
Use long, unique passphrases - four random words like "river-mango-tabla-92". Length beats complexity: a long passphrase is far harder to crack than a short messy one.
Use a password manager (e.g. built into your browser or a dedicated app) so every account gets a different strong password you never have to remember.
Never reuse passwords. Reuse one, and a single leak anywhere opens every account that shares it.
Turn on MFA / OTP everywhere - email, banking, GST, social media, the portal. Even a correctly guessed password then cannot get in alone.
Change all default passwords on routers, cameras, and admin accounts the day you install them.
For the business (server-side defences)
Account lockout - freeze the account after a handful of wrong tries (as the protected portal did).
Rate limiting - slow down repeated attempts from the same source so mass guessing becomes impractical.
CAPTCHA after a few failures to block automated tools.
Enforce MFA for all staff, especially admin / owner accounts.
Ban breached & common passwords at sign-up so "admin123" can never be chosen.
Monitor & alert on spikes of failed logins and sign-ins from new devices or locations.
Lock business devices - screen locks, auto-lock timers, and full-disk encryption on every laptop and phone.
Remediation - what to do now
If you have ALREADY been hit
Reset the affected password immediately - and every other account where you reused that same password.
Enable MFA / OTP on those accounts right away, before doing anything else.
Force an org-wide password rotation so every employee account is changed, not just the one that was breached.
Review access & login logs for the intrusion: unknown devices, odd hours, foreign locations, data that was viewed or exported.
Revoke active sessions and tokens / API keys so the attacker is kicked out even if they still hold an old password.
Check haveibeenpwned.com for your email and staff emails to see what has leaked.
Deploy lockout & rate-limiting on the login system so the same attack cannot simply be re-run.
The statistic
~80%
of hacking-related breaches involve weak, reused, or stolen passwords. The single most common cause of a business getting hacked is also the easiest and cheapest one to fix.
Reuse one password, and a single leak can open every account.