Versions Compared

Version Old Version 21 New Version 22
Changes made by

David Doret

David Doret

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Password Spraying Attack

Alternative Forms

  • Low and Slow Attack

  • Spray-Password Attack

Definitions

Definition 1

From A Password Spraying Attack is an attack technique targeting password-protected systems. Given a large user population, it is highly probably that some passwords are weak. Exploiting this weakness, the Password Spraying Attack consists in using commonly used passwords . Or built from public sources on system users, or plausible passwords built by combinations from publicly available information related to the system users (e.g. employees.

Contrast with Password Brute-Force Attack.

Preferred or targets). A rotation scheme on a large set of identities is then used to try these passwords in turn.

Threat actors may use the Password Spraying Attack during the initial exploitation phase of an attack and/or later on for lateral movement.

The Password Spraying Attack must be distinguished from the Password Brute Force Attack that targets a single identity. The latter attack is easily countered with account lockout mechanisms. Inversely, the Password Spraying Attack avoids account lockout mechanisms by making a very small number of authentication attempts per identity, but a large number of authentication attempts overall.

Some preferred targets are:

  • Systems using Single Sign-On (SSO) to gain access to multiple resources

  • Systems using federated authentication protocols as this may help to avoid ease detection avoidance

  • Email accounts

Password Spraying may be used as an initial attack and/or for lateral movement.

Possible countermeasuresSome possible countermeasures are:

  • Alternatives to password authentication

  • Audits to reveal and address weak passwords

  • Intrusion Detection Systems (IDS)

  • Intrusion Prevention Systems (IPS)

  • Multi-Factor Authentication (MFA)

  • Multi-Step Verification (MSV)

  • Password complexity

Sample Sentence

Alice was running a successful online shop with thousands of clients. The online shop used password-based single-factor authentication. Eve used a robot to web scrap the public profiles of the online shop and build a database of plausible passwords. She then launched a Password Spray Attack and quickly found a few hundreds valid passwords. She then used Bob as a mule to transfer to steal money using the credit card information of the shop customers.

Conceptual Diagram

Related Terms

  • Attack Hyperonym

  • Attack Technique Hyperonym

  • Brute Force Attack Hyperonym

  • Credential Stuffing Hyponym

  • Heap Spraying

  • Password

...