Password Spraying Attack
Jump to navigation
Jump to search
A Password Spraying Attack is a brute-force password attack in which a malicious actor uses a single password against targeted user accounts before moving on to attempt a second password
- See: Account Password.
References
2019a
- https://www.apextechservices.com/topics/articles/442970-how-avoid-password-spraying-attacks.htm
- QUOTE: ... Password spraying is a type of brute-force attack in which a malicious actor uses a single password against targeted user accounts before moving on to attempt a second password, and so on. This technique allows the actor to remain undetected by avoiding rapid or frequent account lockouts. ...
2019b
- https://www.zdnet.com/article/financial-sector-has-been-seeing-more-credential-stuffing-than-ddos-attacks-in-recent-years/
- QUOTE:
- Brute-force attacks - attackers try common or weak username/passwords pairs (from a preset list) to brute-force their way into an account
- Credential stuffing - attackers try username/password pairs leaked at other sites
- Password spraying - attackers try the same password, but against different usernames
- QUOTE:
2018
- https://doubleoctopus.com/security-wiki/threats-and-tools/password-spraying/
- QUOTE: Password spraying is an attack that attempts to access a large number of accounts (usernames) with a few commonly used passwords. Traditional brute-force attacks attempt to gain unauthorized access to a single account by guessing the password. This can quickly result in the targeted account getting locked-out, as commonly used account-lockout policies allow for a limited number of failed attempts (typically three to five) during a set period of time. During a password-spray attack (also known as the “low-and-slow” method), the malicious actor attempts a single commonly used password (such as ‘Password1’ or ‘Summer2017’) against many accounts before moving on to attempt a second password, and so on. This technique allows the actor to remain undetected by avoiding rapid or frequent account lockouts.