登录查看更多内容

The infamous Password Spraying Attack

David Doret

IT Risk & Cybersecurity: IAM & PAM Manager at BNP Paribas

发布日期: 2021年3月21日

I just published a new dictionary entry on the Open-Measure dictionary:

Some of you will remember when this brute-force technique broke the news in 2019, first with the Citrix data breach and then with a series of attacks on critical infrastructures. But these high-profile security incidents should not mislead other organizations into thinking it is not their concern: this technique is relatively cheap, easy to execute and commonplace.

The Password Spraying Attack is used by threat actors to compromise identities of IT systems relying on single-factor password authentication (or in combo after bypassing weakly implemented multi-factor authentication). One of its distinguishing characteristics from blunt password brute-force attack is that it avoids basic detection and prevention by account lockout mechanisms - you certainly remember the last time one of your account was locked out after 3 failed login attempts...

I let you enjoy the conceptual diagram that nicely synthetize the key features of this concept:

A diagram of the Password Spraying Attack concept

And invite those who wish to dig further into this topic to read the complete article on the Open-Measure wiki:

As always, don't hesitate to contribute with questions and comments, I will be most happy to refine or complement this research.

Sreekanth Arangathiruvanan

IAM - Information Security (CIAM, CIGE, CAMS & CIMP)

3 年

Nice article

Ivan Borcard

?????? ?????????????? ?????????????? Your trusted advisor ?? ???? ???? ?????????????? ??? ?????????? ??? ???? ??? ???????? Cyber Security Expert ?? High-Quality Support ?? Innovative Cybersecurity Solution

4 年

Thanks. A PAM solution might help ;-)

2 次回应

Philippe Emery

4 年

Top thanks for sharing

查看更多评论

要查看或添加评论，请登录

David Doret的更多文章

The Disturbing Silence of Access-Control Misconfigurations

2021年7月20日

The Disturbing Silence of Access-Control Misconfigurations

This story is a work of fiction and any resemblance with your organization is intentional. Bob's Story Bob is an IT…

4 条评论
Cybersecurity and the essence of IT systems: if you don't know what you are defending, you can't protect it

2021年5月20日

Cybersecurity and the essence of IT systems: if you don't know what you are defending, you can't protect it

For more than 12 years, the Center for Internet Security (and formerly the SANS Institute) publishes the widely…

2 条评论
The Necessity of Trust

2021年4月3日

The Necessity of Trust

In this post, I will try to build a small interdisciplinary bridge between cybersecurity and philosophy or social…

1 条评论
The Misery of Orphan Accounts

2021年3月30日

The Misery of Orphan Accounts

There’s much more to know about orphan accounts than may appear at first glance. Let’s consider the following…

7 条评论
Self-Sovereign Identity – There's more to it than Identities on a Blockchain

2021年3月14日

Self-Sovereign Identity – There's more to it than Identities on a Blockchain

A fascinating phenomenon emerged a few years ago in the Identity and Access Management (IAM) field: Self-Sovereign…

2 条评论
But what is a security domain?

2021年3月7日

But what is a security domain?

The term information security domain has many definitions. But one of these is a building block concept that underpins…

2 条评论
Zombie Accounts

2021年2月25日

Zombie Accounts

Writing the Zombie Account entry for the Open-Measure dictionary has been a nice opportunity to dive into the related…
Is your system tranquil?

2021年2月19日

Is your system tranquil?

The tranquility property is among those fundamental yet little known concepts in information security. How often do we…
Backward compatibility is the skeleton in the closet of cybersecurity

2019年2月16日

Backward compatibility is the skeleton in the closet of cybersecurity

Backward compatibility really is the skeleton in the closet of cybersecurity. This was once more demonstrated by the…
Guessing game: when was published the following text?

2019年1月2日

Guessing game: when was published the following text?

"One of the problems of dealing with computer equipment is the ever-increasing amount of equipment available and the…

See all articles

The infamous Password Spraying Attack

David Doret

IT Risk & Cybersecurity: IAM & PAM Manager at BNP Paribas

David Doret的更多文章

社区洞察

其他会员也浏览了

How to Select AND Remember Strong Passwords

Your Password has already been compromised!

FBI & CISA Warn: Your Cellphone Texts & Calls Are Insecure

Ferris Bueller's Day ... On The Importance of Multi-Factor Authentication (MFA)

Are users in your network using leaked credentials?

Can no password be more secure than a complex one?

CYBER SECURITY NEWS - Week of May 01, 2023

Worst passwords -protect yourself

Win32/StealthFalcon Does More than Just Steal Files

David Doret的更多文章

The Disturbing Silence of Access-Control Misconfigurations

Cybersecurity and the essence of IT systems: if you don't know what you are defending, you can't protect it

The Necessity of Trust

The Misery of Orphan Accounts

Self-Sovereign Identity – There's more to it than Identities on a Blockchain

But what is a security domain?

Zombie Accounts

Is your system tranquil?

Backward compatibility is the skeleton in the closet of cybersecurity

Guessing game: when was published the following text?

社区洞察

其他会员也浏览了

How to Select AND Remember Strong Passwords

Your Password has already been compromised!

FBI & CISA Warn: Your Cellphone Texts & Calls Are Insecure

Ferris Bueller's Day ... On The Importance of Multi-Factor Authentication (MFA)

Are users in your network using leaked credentials?

Can no password be more secure than a complex one?

CYBER SECURITY NEWS - Week of May 01, 2023

Worst passwords -protect yourself

Win32/StealthFalcon Does More than Just Steal Files