Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Password Spraying Attack

Table of Contents
typeflat

Alternative Forms

  • Low and Slow Attack

  • Spray-Password Attack

Definitions

Definition 1 Attack Technique

A Password Spraying Attack is a brute force attack technique targeting password-protected systems. Given a large user population, it is highly probably that some passwords are weak. Exploiting this weakness, the Password Spraying Attack consists in using commonly used passwords or plausible passwords built by combinations from publicly available information related to the system users (e.g. employees). A rotation scheme on a large set of identities is then used to try these passwords in turn.

Threat actors may use the Password Spraying Attack during the initial exploitation phase of an attack and/or later on for lateral movement.

The Password Spraying Attack must be distinguished from the Password Brute Force Attack that targets a single identity. The latter attack is easily countered with account lockout mechanisms. Inversely, the Password Spraying Attack avoids account lockout mechanisms by making a very small number of authentication attempts per identity, but a large number of authentication attempts overall.

Some preferred targets are:

  • Systems using Single Sign-On (SSO) to gain access to multiple resources

  • Systems using federated authentication protocols as this may ease detection avoidance

  • Email accounts

Some possible countermeasures are:

  • Alternatives to password authentication

  • Audits to reveal and address weak passwords

  • Intrusion Detection Systems (IDS)

  • Intrusion Prevention Systems (IPS)

  • Multi-Factor Authentication (MFA)

  • Multi-Step Verification (MSV)

  • Password complexity

MFA may be vulnerable to Password Spraying Attacks if it is weakly implemented and the second factor is successfully bypassed.

Sample Sentence

Alice was running a successful online shop with thousands of clients. The online shop used password-based single-factor authentication. Eve used a robot to web scrap the public profiles of the online shop and build a database of plausible passwords. She then launched a Password Spray Attack and quickly found a few hundreds valid passwords. She then used Bob as a mule to transfer to steal money using the credit card information of the shop customers.

Conceptual Diagram

Definition 2 Attack Instance

A Password Spraying Attack is an instance of an attack that uses the password spraying attack technique.

Related Terms

  • Credential Stuffing Hyponym

  • Heap Spraying

  • Password

Quotes

Expand
titleJover, 2020, p. 19
Include Page
QUOT:Jover, 2020, p. 19
QUOT:Jover, 2020, p. 19
Expand
titleStubbs and Bing, 2020, p. 1
Include Page
QUOT:Stubbs and Bing, 2020, p. 1
QUOT:Stubbs and Bing, 2020, p. 1
Expand
titleDimensional Research, 2020, p. 5
Include Page
QUOT:Dimensional Research, 2020, p. 5
QUOT:Dimensional Research, 2020, p. 5
Expand
titleHaber, 2020, p. 74-75
Include Page
QUOT:Haber, 2020, p. 74-75
QUOT:Haber, 2020, p. 74-75
Expand
titleVittori, 2019, p. 8
Include Page
QUOT:Vittori, 2019, p. 8
QUOT:Vittori, 2019, p. 8
Expand
titleCounter Threat Unit Research Team, 2019
Include Page
QUOT:Counter Threat Unit Research Team, 2019, a
QUOT:Counter Threat Unit Research Team, 2019, a
Expand
titleCounter Threat Unit Research Team, 2019
Include Page
QUOT:Counter Threat Unit Research Team, 2019, b
QUOT:Counter Threat Unit Research Team, 2019, b
Expand
titleRahav, 2019, p. 1
Include Page
QUOT:Rahav, 2019, p. 1
QUOT:Rahav, 2019, p. 1
Expand
titleSarai, 2018, p. 10
Include Page
QUOT:Sarai, 2018, p. 10
QUOT:Sarai, 2018, p. 10
Expand
titleP, 2018, p. 1
Include Page
QUOT:P, 2018, p. 1
QUOT:P, 2018, p. 1

Bibliography

See Also

Filter by label (Content by label)
showLabelsfalse
sorttitle
cqllabel = "password-spraying"