What is a replay attack? (And how to prevent them)

Tips & tricks
2 mins
A hand holding a mask.

A replay attack is when a third party intercepts and “replays” a secure data transmission, allowing the third party to interact with the receiver as though they were the original sender. It’s a relatively common and surprisingly simple form of cyberattack. 

How does a replay attack work?

Imagine Tom sends a login request to a website—the login request is verified, and Tom can log in. Sally intercepts the login request without Tom or the website being aware. Sally doesn’t even need to read the contents of the request; she can simply “replay” it. To the website, it will appear as though Tom is logging in again, and Sally’s login request (as Tom) will be successful. 

Diagram of replay attack.

Hackers can eavesdrop on data exchanges being sent through networks—this type of eavesdropping is known as packet sniffing. Once data is intercepted it is replayed in the same form—usually a session ID, an email, or a message. Replay attacks are often used to steal usernames and passwords, or trick users into sending funds to the hacker. 

But shouldn’t passwords be encrypted? In fact, they usually are. Passwords are commonly “hashed,” which means they’re scrambled using a key known only to the site. Unfortunately, this isn’t enough to prevent a replay attack. As long as the authentication is successful, the hacker can simply replay the authentication; they don’t actually need to know the password. This is referred to as a “pass-the-hash attack.” 

To prevent this, passwords are often “hashed and salted.” (Anyone else feeling hungry?) Salting refers to the practice of adding a unique string of characters known only to the website to each password. However, sites will sometimes reuse the same salt for every password, making the practice less secure. 

Read more: Best ways to store your passwords: A comparison

How to prevent a replay attack

So, if a secure, encrypted password isn’t enough, how do you prevent a replay attack?

  • Using a one-time password (OTP) is one option because—as the name suggests—the password can only be used once.
  • Adding a timestamp that’s only valid for a short amount of time can also prevent a hacker from launching a replay attack.
  • Ensuring you only access websites that use HTTPS protocol helps protect data, and avoiding public or free Wi-Fi also helps you stay protected online.
  • Lastly—and we think, most importantly—a VPN masks your internet traffic from third parties and prevents hackers from eavesdropping in the first place. 

Read more: What is ransomware, and how to prevent it?

Phone protected by ExpressVPN.
Protect your privacy with the best VPN

30-day money-back guarantee

A phone with a padlock.
Enjoy a safer online experience with powerful privacy protection
What is a VPN?