Four of the password attacks on SY0-701 read almost identically on the exam. The attacker wants credentials, there are usernames and passwords involved, and every answer choice sounds plausible. The exam is not testing whether you know that attackers guess passwords. It is testing whether you can spot the one detail in the scenario that names the attack.
Here are the four that get mixed up, and the detail that separates them.
Brute force
The attacker targets one account and tries password after password until something works. Many passwords, one account. The giveaway in a question is a single username paired with a flood of attempts, and usually an account lockout that trips quickly. If the scenario mentions repeated failed logins on one user followed by a lockout, that is brute force showing its main weakness: it is loud.
Dictionary attack
This is brute force with a smarter list. Instead of every possible combination, the attacker runs through a wordlist of likely passwords: common choices, leaked passwords, predictable substitutions like P@ssw0rd. The detail to watch for is the mention of a wordlist or a list of common passwords. Same shape as brute force, narrower ammunition.
Password spraying
This is the one people misread most. The attacker takes one common password, say Spring2025!, and tries it against thousands of different accounts, one attempt each. One password, many accounts. The reason it matters is the reason it works: trying a single password per account stays under the lockout threshold, so it never trips the alarm that brute force trips. If a question describes attempts spread across many users with no lockouts firing, the answer is spraying, not brute force. That detail, no lockouts, is doing all the work in the question.
Credential stuffing
Here the attacker already has valid username and password pairs, usually from a breach dump on another site, and replays them against your login. The bet is that people reuse passwords. The detail that names it is the source: the credentials came from a previous breach, and the attacker is not guessing at all. If the scenario mentions reused passwords or a leaked credential list from another service, it is stuffing.
The two questions that sort them
The fast way to keep these straight is to ask two questions of the scenario. How many accounts, and where did the passwords come from. One account with many guesses is brute force or dictionary, and the wordlist detail splits those two. Many accounts with one shared password is spraying. Many accounts with already-valid passwords from a breach is stuffing.
The defenses map cleanly once the attacks are clear, and the exam likes to test those too. Account lockout slows brute force and dictionary. Lockout does almost nothing against spraying, because spraying is built to stay under it, so you want detection on failed logins across many accounts and MFA. Credential stuffing is the case for MFA and for not reusing passwords, which is why password managers and breach monitoring show up as answers. Notice that MFA is the answer for more than one of these. That is not a coincidence. When a question asks for the single best control against several of these at once, MFA is usually the move.
One more that catches people: rainbow tables are not in this group. A rainbow table is an offline attack against stolen password hashes, not an online guessing attack against a login page. If a question mentions stolen hashes and precomputed tables, you are in a different family, and the defense is salting, not lockout. The exam mixes these in to see if you will reach for the wrong category.
If you want to find out which of these you actually have straight, the cleanest test is a few practice questions that force the distinction instead of letting you nod along to a definition. I keep a free diagnostic on the site I built, SecPlus Mastery, at secplusmastery.com/diagnostic. It tells you fast whether you are reading for the detail or guessing.
The pattern is bigger than passwords. Most of the attack questions on SY0-701 work this way. Two or three answers are real attacks, the scenario quietly contains the one fact that picks the right one, and the people who miss it are answering from the label instead of the sentence. Read for the detail. The exam put it there on purpose.
Top comments (0)