Authentication and access control attacks
Common attacks against access control are dictionary attacks, brute force attacks and spoofed logon screens.
These are programs with built in dictionaries. They would use all dictionary words to attempt and find the correct password, in the hope that a user would have used a standard dictionary word.
This type of attack is attempting to break the password by trying all possible words, in the alphabet. You can set the software to start from 2 combination letter and keep keep going to 3 combinations, and then 4 and so on. The program would attempt all possible combinations including special keywords. However after 6 or 7 combinations it can take a long time to exhaust all keyword. In fact it is not worth attempting beyond an 8 letter combination as most computers will take a very long time exhausting all possibilities, we are talking weeks, months and years depending on the number of letters and the processing power of the computer.
Spoofed logon screens
The last access control attack is to implement a fake logon screen, and when a user attempts to login, the logon screen will send the username and password to the hacker.
Prevention against authentication and access control attacks
To circumvent these type of attacks, passwords should be long, complex and changed every so often. If the password is used many times a day and protects important information, then it should be changed more often. There should be a strong password policy in place to enforce this, as well as enforcing other measures such as locking users out after so many logon attempts, etc. To circumvent against spoofed logon screens, this can be almost unavoidable if the fake logon screen has already been installed on a computer. The prevention for this attack is to have secure endpoints, where these fake logon screens can not be implemented.
Wikipedia's guide to Authentication
For further reading, there's some excellent electronic ebooks available for download from eBooks.com