Password attacks: spraying, brute force

2.2 Indicators of malicious activity

📘CompTIA Security+ SY0-701

Overview

Password attacks are attempts by attackers to gain unauthorized access to accounts or systems by guessing or cracking passwords. Because passwords are one of the most common forms of authentication, they are also one of the most targeted areas in cybersecurity.

Understanding how password attacks work helps security professionals detect, prevent, and respond to them effectively.

1. What is a Password Attack?

A password attack is any malicious attempt to obtain or guess a user’s password to gain access to a system, network, or account.
Attackers use different techniques to exploit weak passwords, poor password policies, or systems that do not enforce account lockouts.

2. Common Password Attack Types Covered in the Exam

The Security+ exam focuses on two major password attacks under this subtopic:

  • Password Spraying
  • Brute Force Attack

3. Password Spraying Attack

Definition:

A password spraying attack happens when an attacker tries one common password (like Password123 or Welcome1) against many different user accounts before moving to the next password.

How It Works:

  1. The attacker collects a list of valid usernames (through data leaks, phishing, or reconnaissance).
  2. Instead of guessing many passwords for one account, they guess one password across all accounts.
  3. After some time, they try a second password across all accounts.
  4. This slow method helps them avoid account lockouts that usually occur after multiple failed attempts on a single account.

Why It’s Dangerous:

  • Many organizations use weak or default passwords.
  • Account lockout policies usually detect multiple failed attempts on one account, not across multiple accounts.
  • It’s difficult to detect because the attacker uses low and slow techniques (spaced-out attempts).

Example in an IT Environment:

An attacker uses an automated tool to try “Spring2025!” on all employees’ email accounts. If even one employee is using that weak password, the attacker gains access to their mailbox or corporate systems.

Indicators of a Password Spraying Attack:

  • Multiple failed login attempts across many accounts.
  • Login attempts coming from the same IP address or location.
  • Attempts spread out over time to avoid triggering alerts.
  • Successful login from unusual locations or devices after a series of failed attempts.

Defense Against Password Spraying:

  • Enforce strong password policies (length, complexity, uniqueness).
  • Implement multi-factor authentication (MFA) — even if a password is guessed, access still requires a second verification step.
  • Configure account lockout thresholds and smart lockout rules (to detect abnormal failed attempts across users).
  • Use login monitoring and anomaly detection tools.
  • Use password filtering tools to prevent users from using common or weak passwords.

4. Brute Force Attack

Definition:

A brute force attack is when an attacker systematically tries every possible password combination until the correct one is found.

This method relies on computation power rather than cleverness — the attacker tries all combinations of characters (letters, numbers, symbols) until they match the real password.

Types of Brute Force Attacks:

  1. Online Brute Force:
    • The attacker directly tries passwords on a live system (like a login page).
    • Usually slower and riskier due to account lockouts or detection systems.
  2. Offline Brute Force:
    • The attacker already has access to hashed passwords (for example, from a stolen database).
    • They use specialized software to guess the password offline without triggering account lockouts.
    • This is faster and more powerful, depending on computing resources.
  3. Dictionary Attack (a variation):
    • Instead of trying all combinations, the attacker uses a list of common passwords (like qwerty, admin123, letmein).
    • Faster than full brute force and often successful against weak passwords.

How It Works:

  1. The attacker obtains the login interface or stolen password file.
  2. Automated tools (like Hydra, John the Ripper, or Hashcat) are used to try passwords.
  3. The attack continues until the correct password matches.

Why It’s Dangerous:

  • Modern computers can test millions of passwords per second.
  • Weak or short passwords are easily cracked.
  • Once the password is found, the attacker can impersonate the user or escalate privileges.

Example in an IT Environment:

An attacker steals a company’s user database containing password hashes. They use Hashcat to brute-force the hashes offline until they find the plaintext passwords. They then log in to internal systems or VPNs.

Indicators of a Brute Force Attack:

  • Multiple failed login attempts for the same account in a short period.
  • Repeated login attempts from one IP address.
  • Accounts being locked frequently due to login failures.
  • Large volumes of authentication attempts in logs.

Defense Against Brute Force Attacks:

  • Strong password policies (long and complex passwords).
  • Account lockout policies after a limited number of failed attempts.
  • Rate limiting – restrict the number of login attempts from one IP.
  • CAPTCHA – prevent automated login attempts.
  • Multi-factor authentication (MFA) – adds another security layer.
  • Salting and hashing passwords – even if attackers get the password file, it’s much harder to crack.
  • Use intrusion detection systems (IDS) to identify multiple login attempts.

5. Key Differences Between Spraying and Brute Force

FeaturePassword SprayingBrute Force Attack
FocusTries one password on many accountsTries many passwords on one account
SpeedSlow and deliberate (to avoid lockouts)Very fast (especially offline)
DetectionHarder to detectEasier to detect (many failures on one account)
PurposeTo find weak passwords across multiple usersTo crack one specific account or hash
DefenseMFA, strong password policy, account monitoringMFA, account lockout, rate limiting, hashing

6. Summary for Exam Success

For the Security+ exam, remember these key points:

  • Password spraying = One password, many users.
  • Brute force = Many passwords, one user.
  • Dictionary attack = Uses a list of common passwords.
  • Offline brute force = Uses stolen password hashes and does not trigger lockouts.
  • Defenses = MFA, password complexity, lockout policies, rate limiting, monitoring, hashing with salt.

You may also be asked to identify indicators of these attacks from log data or scenarios in the exam — focus on recognizing patterns of failed logins and authentication anomalies.

Final Exam Tip:

If you see a scenario describing many accounts being targeted with the same password, it’s password spraying.
If you see one account being targeted with thousands of password attempts, it’s brute force.

Leave a Reply

Your email address will not be published. Required fields are marked *

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by