Password Attack Indicators
Signs of password-focused attacks including password spraying (one password across many accounts), brute force (many passwords against one account), dictionary attacks, and credential stuffing from breached databases.
Understanding Password Attack Indicators
Password attacks attempt to gain unauthorized access by guessing or cracking authentication credentials. Different attack techniques have distinct patterns that security monitoring can detect.
Key password attack types: • Brute force — Try every possible combination • Dictionary attack — Try common words and passwords • Password spraying — One password across many accounts • Credential stuffing — Use breached credentials on other sites
Each attack type has characteristic indicators that enable detection and response.
Why This Matters for the Exam
Password attacks are among the most common attack vectors and heavily tested on SY0-701. Questions often describe attack patterns and ask you to identify the attack type.
Understanding attack indicators helps configure detection rules, lockout policies, and authentication controls. Distinguishing between brute force and password spraying affects the appropriate response.
The exam tests precise terminology and the ability to identify attacks from their characteristics.
Deep Dive
Brute Force Attacks
Systematically trying every possible password combination against a target account.
Brute Force Characteristics:
- •High volume of attempts against single account
- •Sequential or pattern-based password attempts
- •Often triggers account lockout
- •Time-intensive for strong passwords
Brute Force Indicators:
| Indicator | Description |
|---|---|
| Many failures, one account | Repeated failures for same username |
| Sequential patterns | Password attempts follow logical sequence |
| Account lockouts | Lockout threshold triggered |
| Single source IP | Attacks from one location |
| Rapid attempts | High-speed automated guessing |
Log Pattern:
- •```
- •User: jsmith - Failed login - password1
- •User: jsmith - Failed login - password2
- •User: jsmith - Failed login - password3
- •[Account locked after 5 failures]
- •```
Brute Force Defenses:
- •Account lockout policies
- •Progressive delays after failures
- •CAPTCHA after failures
- •MFA requirement
Dictionary Attacks
Using lists of common passwords and words to guess credentials.
Dictionary Attack Characteristics:
- •Uses precompiled password lists
- •Includes common passwords (123456, password)
- •May include variations (Password1, p@ssw0rd)
- •Faster than pure brute force
Dictionary vs. Brute Force:
- •Dictionary: Tries known/likely passwords first
- •Brute Force: Tries ALL possible combinations
- •Dictionary is subset of brute force approach
Dictionary Attack Indicators:
- •Failed passwords match common password lists
- •Passwords show typical variations (leetspeak, suffixes)
- •Pattern suggesting wordlist usage
- •Sequential failed attempts with recognizable passwords
Common Password Lists Used:
- •RockYou dataset (14 million passwords)
- •SecLists collections
- •Industry-specific wordlists
- •Previous breach data
Password Spraying
Trying one password (or few) across many accounts to avoid lockout.
Password Spraying Characteristics:
- •Low and slow approach
- •Same password tried on many accounts
- •Stays below lockout threshold
- •Targets common passwords organization-wide
Why Spraying Works:
- •Avoids triggering lockout per account
- •Someone usually has a weak password
- •Less likely to trigger alerts
- •Patient approach evades detection
Password Spraying Indicators:
| Indicator | Description |
|---|---|
| Many accounts, few failures each | Same password across usernames |
| Same password pattern | Recognizable common passwords |
| Timing pattern | Slow, methodical attempts |
| Multiple source IPs | Distributed to avoid detection |
| Failed across organization | Hits many departments |
Spraying Log Pattern:
- •```
- •User: jsmith - Failed login - Summer2024!
- •User: bjones - Failed login - Summer2024!
- •User: mwilson - Failed login - Summer2024!
- •User: rgarcia - Failed login - Summer2024!
- •[Same password, different accounts]
- •```
Password Spraying Defenses:
- •Monitor for spray patterns
- •Use non-obvious usernames
- •MFA for all accounts
- •Password blacklists
- •Cloud-based authentication analytics
Credential Stuffing
Using username/password pairs from breached databases on other services.
Credential Stuffing Characteristics:
- •Uses actual breached credentials
- •Relies on password reuse
- •High success rate vs. random guessing
- •Targets multiple services
Why Credential Stuffing Works:
- •People reuse passwords across services
- •Breached credentials widely available
- •Valid username/password combinations
- •Automated tools make it easy
Credential Stuffing Indicators:
| Indicator | Description |
|---|---|
| Unusual success rate | Higher success than random |
| Known breached emails | Usernames from public breaches |
| Geographically impossible | Logins from unusual locations |
| Automated patterns | Timing suggests automation |
| Multiple services targeted | Same creds across platforms |
Credential Stuffing Log Pattern:
- •```
- •User: user@gmail.com - Successful login - Location: Ukraine
- •User: user@gmail.com - Changed password attempt
- •User: user@gmail.com - Account recovery initiated
- •[Account takeover sequence]
- •```
Credential Stuffing Defenses:
- •Check passwords against breach databases
- •Monitor for unusual login locations
- •Implement MFA
- •Use CAPTCHA
- •Block known malicious IPs
Online vs. Offline Attacks
| Type | Where | Detection |
|---|---|---|
| Online | Against live system | Logs show attempts |
| Offline | Against stolen hashes | No system indicators |
Offline Attack Indicators:
- •Hash database stolen (detected separately)
- •Successful login after long dormancy
- •No failed attempts before success
- •Evidence of previous system compromise
How CompTIA Tests This
Example Analysis
Scenario: Security logs show the following pattern over 30 minutes: ``` 08:00 - user1@corp.com - Failed - "CompanyName2024!" 08:01 - user2@corp.com - Failed - "CompanyName2024!" 08:02 - user3@corp.com - Failed - "CompanyName2024!" ... 08:30 - user500@corp.com - Failed - "CompanyName2024!" ``` No accounts were locked out.
Analysis - Password Spraying Attack:
Indicators Present: • Same password across many accounts • One attempt per account (below lockout) • Organization-relevant password (CompanyName) • Slow, methodical timing • No lockouts triggered
Why It's Spraying (Not Brute Force): • Brute force = many passwords on ONE account • Spraying = ONE password on MANY accounts • Pattern avoids lockout by spreading attempts
Attack Strategy: 1. Attacker obtained user list (LinkedIn, email harvest) 2. Chose organizationally likely password 3. Tried same password on all accounts 4. Stayed below lockout threshold (likely 5 attempts) 5. May try another password after completing list
Response: 1. Block source IP(s) 2. Force password reset if "CompanyName2024!" exists 3. Review for successful authentications 4. Implement spray detection rules 5. Consider MFA enforcement 6. Ban predictable password patterns
Key insight: Password spraying evades per-account lockout by spreading attempts. Detection requires correlating failures across the entire user population.
Key Terms to Know
Common Mistakes to Avoid
Exam Tips
Memory Trick
"BDSC" - Password Attack Types
- •Brute force (all combinations, one account)
- •Dictionary (wordlist passwords)
- •Spraying (one password, many accounts)
- •Credential stuffing (breached creds reused)
Brute vs. Spray Memory:
Brute = Bomb one target (Many attempts → ONE account → Lockout)
Spray = Spread wide (ONE password → Many accounts → No lockout)
Detection Patterns:
Brute Force Log: jsmith: fail, fail, fail, fail, fail → LOCKED
Password Spray Log: jsmith: fail (Summer2024) bjones: fail (Summer2024) mwilson: fail (Summer2024) → Same password, different users
Credential Stuffing Source: "Stuffing" with credentials from breach stuffing Like stuffing a pillow with stolen feathers
Test Your Knowledge
Q1.Security logs show the password "Welcome2024!" failed against 200 different user accounts within one hour, with no account lockouts. What type of attack is this?
Q2.An attacker uses username/password combinations from a publicly available breach database to attempt logins on an organization's VPN. This is an example of:
Q3.What is the PRIMARY indicator that distinguishes brute force from password spraying?
Want more practice with instant AI feedback?
Practice with AIContinue Learning
Ready to test your knowledge?
Practice questions on password attack indicators and other Objective 2.4 concepts.