CAPEC-565

Detailed Abstraction Level
Meta — Very abstract, high-level category
Standard — Specific enough to understand
Detailed — Tied to specific technique
Draft MITRE CAPEC Status
Stable — Fully reviewed and complete
Draft — Under development
Incomplete — Partially defined
Deprecated — No longer recommended
Obsolete — Replaced by another CAPEC
Likelihood: High Severity: High
Password Spraying

Description

In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout.

Prerequisites

The system/application uses one factor password based authentication.

The system/application does not have a sound password policy that is being enforced.

The system/application does not implement an effective password throttling mechanism.

The adversary possesses a list of known user accounts on the target system/application.

Mitigations

Create a strong password policy and ensure that your system enforces this policy.

Implement an intelligent password throttling mechanism. Care must be taken to assure that these mechanisms do not excessively enable account lockout attacks such as CAPEC-2.

Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the domain network.

Skills Required

[Low] A Password Spraying attack is very straightforward. A variety of password cracking tools are widely available.