Password Spraying Attack

A Password Spraying Attack is a brute-force password attack in which a malicious actor uses a single password against targeted user accounts before moving on to attempt a second password

• See: Account Password.

References

2019a

• https://www.apextechservices.com/topics/articles/442970-how-avoid-password-spraying-attacks.htm
  • QUOTE: ... Password spraying is a type of brute-force attack in which a malicious actor uses a single password against targeted user accounts before moving on to attempt a second password, and so on. This technique allows the actor to remain undetected by avoiding rapid or frequent account lockouts. ...

2019b

• https://www.zdnet.com/article/financial-sector-has-been-seeing-more-credential-stuffing-than-ddos-attacks-in-recent-years/
  • QUOTE:
    • Brute-force attacks - attackers try common or weak username/passwords pairs (from a preset list) to brute-force their way into an account
    • Credential stuffing - attackers try username/password pairs leaked at other sites
    • Password spraying - attackers try the same password, but against different usernames

2018

• https://doubleoctopus.com/security-wiki/threats-and-tools/password-spraying/
  • QUOTE: Password spraying is an attack that attempts to access a large number of accounts (usernames) with a few commonly used passwords. Traditional brute-force attacks attempt to gain unauthorized access to a single account by guessing the password. This can quickly result in the targeted account getting locked-out, as commonly used account-lockout policies allow for a limited number of failed attempts (typically three to five) during a set period of time. During a password-spray attack (also known as the “low-and-slow” method), the malicious actor attempts a single commonly used password (such as ‘Password1’ or ‘Summer2017’) against many accounts before moving on to attempt a second password, and so on. This technique allows the actor to remain undetected by avoiding rapid or frequent account lockouts.