Password Spraying Attack

Owned by David Doret, created
Last updated: 20-57-2021
2 min read

Password Spraying Attack

[ 1 Password Spraying Attack ] [ 1.1 Alternative Forms ] [ 1.2 Definitions ] [ 1.2.1 Definition 1 Attack Technique ] [ 1.2.1.1 Sample Sentence ] [ 1.2.1.2 Conceptual Diagram ] [ 1.2.2 Definition 2 Attack Instance ] [ 1.3 Related Terms ] [ 1.4 Quotes ] [ 1.5 Bibliography ] [ 1.6 See Also ]

Alternative Forms

  • Low and Slow Attack

  • Spray-Password Attack

Definitions

Definition 1 Attack Technique

A Password Spraying Attack is a brute force attack technique targeting password-protected systems. Given a large user population, it is highly probably that some passwords are weak. Exploiting this weakness, the Password Spraying Attack consists in using commonly used passwords or plausible passwords built by combinations from publicly available information related to the system users (e.g. employees). A rotation scheme on a large set of identities is then used to try these passwords in turn.

Threat actors may use the Password Spraying Attack during the initial exploitation phase of an attack and/or later on for lateral movement.

The Password Spraying Attack must be distinguished from the Password Brute Force Attack that targets a single identity. The latter attack is easily countered with account lockout mechanisms. Inversely, the Password Spraying Attack avoids account lockout mechanisms by making a very small number of authentication attempts per identity, but a large number of authentication attempts overall.

Some preferred targets are:

  • Systems using Single Sign-On (SSO) to gain access to multiple resources

  • Systems using federated authentication protocols as this may ease detection avoidance

  • Email accounts

Some possible countermeasures are:

  • Alternatives to password authentication

  • Audits to reveal and address weak passwords

  • Intrusion Detection Systems (IDS)

  • Intrusion Prevention Systems (IPS)

  • Multi-Factor Authentication (MFA)

  • Multi-Step Verification (MSV)

  • Password complexity

MFA may be vulnerable to Password Spraying Attacks if it is weakly implemented and the second factor is successfully bypassed.

Sample Sentence

Alice was running a successful online shop with thousands of clients. The online shop used password-based single-factor authentication. Eve used a robot to web scrap the public profiles of the online shop and build a database of plausible passwords. She then launched a Password Spray Attack and quickly found a few hundreds valid passwords. She then used Bob as a mule to transfer to steal money using the credit card information of the shop customers.

Conceptual Diagram

Definition 2 Attack Instance

A Password Spraying Attack is an instance of an attack that uses the password spraying attack technique.

  • Credential Stuffing Hyponym

  • Heap Spraying

  • Password

Quotes

Bibliography

See Also

Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.

This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.