Spraying Passwords

Password Spray Attack.

Password Spraying is a type of brute force attack. An attacker attempts to brute force login based on list of usernames with default passwords on the application. The attacker will use one password (like Passw0rd! or SecurePass123) against many accounts on the application to avoid account lockouts that may occur when brute forcing a single accounts with many passwords. This type of attack becomes possible when an application or the administrator sets a default password for new users.

Mitigations

• Brute force prevention techniques should be applied to both the username and password fields.
• The application should force users to change their default passwords after the first login with the default password.
• Account lockout policies after a certain number of failed logins should be implemented.
• Implement CAPTCHA
• Use MFA (Multi Factor Authentication)