Attack consists in using commonly used passwords or plausible passwords built by combinations from publicly available information related to the system users (e.g. employees). A rotation scheme on a large set of identities is then used to try these passwords in turn.
Threat actors may use the Password Spraying Attack during the initial exploitation phase of an attack and/or later on for lateral movement.
The Password Spraying Attack must be distinguished from the Password Brute Force Attack that targets a single identity. The latter attack is easily countered with account lockout mechanisms. Inversely, the Password Spraying Attack avoids account lockout mechanisms by making a very small number of authentication attempts per identity, but a large number of authentication attempts overall.
Some preferred targets are:
Some possible countermeasures are:
Alternatives to password authentication
Audits to reveal and address weak passwords
Intrusion Detection Systems (IDS)
Intrusion Prevention Systems (IPS)
Multi-Factor Authentication (MFA)
Multi-Step Verification (MSV)
Password complexity
MFA may be vulnerable to Password Spraying Attacks if it is weakly implemented and the second factor is successfully bypassed.
Sample Sentence
Alice was running a successful online shop with thousands of clients. The online shop used password-based single-factor authentication. Eve used a robot to web scrap the public profiles of the online shop and build a database of plausible passwords. She then launched a Password Spray Attack and quickly found a few hundreds valid passwords. She then used Bob as a mule to transfer to steal money using the credit card information of the shop customers.
Conceptual Diagram
Image AddedDefinition 2 Attack Instance
A Password Spraying Attack is an instance of an attack that uses the password spraying attack technique.