Daylila
How cybersecurity works

Lesson 4 of 13

Attackers don't break in — they log in

Explain why most breaches use stolen trust, not cracked code.

01 · Learn · the idea

In films, the break-in is loud and clever. A hooded figure types fast, green code scrolls, and “encryption cracked” flashes on screen seconds before the vault opens. It looks like genius against a machine. The real thing is duller and far more common. Most intrusions don’t start with cracked code. They start with a working login — a password that was stolen, phished, reused, guessed, or simply never changed. The attacker doesn’t smash the wall. They walk through the door with a key.

The door, not the wall

A modern company spends heavily on walls. Firewalls filter traffic. Encryption scrambles data in transit and at rest. Servers are patched. These are real defences, and they mostly work.

So attackers stop fighting them. Why batter a vault door when there’s a side entrance and someone left a key under the mat? The fastest way past strong encryption is to log in as someone who is already allowed past it. You don’t break the lock. You become a person who has one.

This is the single most useful idea in the whole subject. Once you see it, most security news stops sounding like wizardry and starts sounding like the same quiet story told again.

The asymmetry that decides it

Here is the heart of it, and it is unfair by design.

The defender has to be right every single time. Every account, every login page, every door, every employee — all of it has to hold, on every day, forever. One weak spot anywhere is enough.

The attacker has to be right once. One credential that works, one time, and they are in.

That imbalance is why credentials are the front line. A company can have ten thousand employees with strong, unique passwords and one person who reused theirs. The attacker doesn’t need the ten thousand. They need the one. Defence is a marathon with no finish line; attack is a single lucky draw, repeated cheaply until it lands.

How the key gets made

A working login can come from several quiet sources, and none of them involve cracking code.

Reuse and leaks. People reuse one password across dozens of sites. When any one of those sites is breached, the email-and-password pair ends up on a leak list. Attackers then replay that pair against other sites — your bank, your work login, your email. The trade calls this credential stuffing: stuffing known leaked logins into other doors to see which open. We met this in the lesson on why passwords break — reuse turns one small breach into a master key.

Phishing. Sometimes the attacker just asks. A convincing fake login page tricks you into typing your password straight into their hands. We’ll take that apart in the next item; for now, know it produces a perfectly valid key, freely given.

Defaults and no second factor. Devices and accounts ship with default passwords nobody changes. And an account with only a password — no second factor, the “something you have or are” we covered earlier — falls the moment that one password is known.

And here is the worst part: once inside with a valid login, the attacker looks exactly like a normal user. The system sees an approved person doing approved things. Nothing trips. That’s why these break-ins are so quiet, and so often discovered months later.

A worked example: the breach that cracked nothing

Walk through a typical breach investigation, step by step.

A company is breached. Customer data is taken. The security team pulls the logs to find the hole in the wall.

There is no hole. The firewall held. The encryption held. The servers were patched. Every technical defence did its job.

So they trace the intrusion backwards. The attacker entered through the normal employee login page — using a real employee’s real password. No alarm fired, because nothing was wrong with the login. It was correct.

Where did the password come from? The employee had used the same password at work as on a small hobby forum years earlier. That forum was breached. The email-and-password pair sat in a leak list, traded freely, for over a year. An attacker took that pair and tried it on the company’s login page. It worked. There was no second factor to stop them.

No code was cracked. No wall was breached. The “break-in” was a log-in. The entire incident traces back to one reused password on a forgotten website — a key the company never knew existed.

You are a door

This is why, for an ordinary person, the advice that sounds boring is the advice that matters most. A unique password for every account means one leak can’t become a master key. A second factor means a stolen password isn’t enough on its own.

These do more for your safety than any firewall, because they defend the place attackers actually attack. You are not behind the wall. You are one of the doors.

On the whole

Security is often pictured as a fortress — thick walls, clever locks, a contest of machines. But the wall is rarely where the contest is decided. It’s decided at the doors, and the doors are people, each holding a key, most of them unaware they’re on the front line.

You are one of those doors, and so is everyone you trust with your accounts — the company you bank with, the colleague who shares a login, the friend who knows your password. The system’s strength is not its strongest wall but its weakest door, and you cannot see most of them. Seeing that is the humble part: your safety depends partly on choices made by people you’ll never meet, and theirs depends on yours.

02 · Try · the lab

03 · Check · quick quiz

1. A company is breached. The logs show the attacker entered through the normal employee login page using a real employee's real password, found in an old leak list. The firewall and encryption were never touched. What best describes this intrusion?

  • A break-in — they defeated the company's technical defences
  • A log-in — they used stolen valid credentials, so the defences never had to be beaten
  • A firewall failure that the team simply hasn't found yet
  • An encryption crack disguised as a normal login
Answer

A log-in — they used stolen valid credentials, so the defences never had to be beaten — Nothing technical was broken. The attacker arrived with a correct password and walked in as an approved user. Most real breaches are log-ins, not break-ins — which is why the firewall and encryption holding tells you nothing about whether you're safe.

2. Why does the attacker-versus-defender contest favour the attacker so heavily?

  • Attackers have better tools and faster computers than defenders
  • The defender must protect every account and door every time, while the attacker needs just one credential that works once
  • Defenders aren't allowed to use encryption against attackers
  • Attacks are illegal, so the law gives attackers an unfair advantage
Answer

The defender must protect every account and door every time, while the attacker needs just one credential that works once — It's an asymmetry of effort. One weak spot anywhere is enough for the attacker; the defender has to hold all of them, forever. Ten thousand strong passwords and one reused one means the attacker only needs the one.

3. After getting in with a valid stolen login, why do these intrusions often go unnoticed for months?

  • The attacker deletes the logs so there is no record
  • Antivirus software is switched off during a breach
  • The attacker looks like a normal approved user doing approved things, so nothing trips an alarm
  • Encryption hides the attacker's activity from the company
Answer

The attacker looks like a normal approved user doing approved things, so nothing trips an alarm — A valid login makes the attacker indistinguishable from the real user. The system sees an allowed person doing allowed things, so no alarm fires. The quietness is exactly why credentials — not walls — are the front line.