Password Spray Attack vs Brute Force Attack

[Jating]

Password Spray Attack - it can be defined as one method being used by cyber criminals to gain access on some organisations or individuals using a commonly used known passwords such as "password', 1234, or 'qwerty'. So the first thing they do is harvest emails and then 'spray' using the those weak passwords, hence password spray attack.



Brute Force Attack - is the exact opposite, the hackers are guessing our password, and works on every possible combinations in the hope that they will get it correctly. This is much more difficult though and might take some time for criminals.

Usually the initial step is through spear phishing, and then if they have harvested emails, then they can do any of the attacks above. And then once they hijack your machines, they can do anything they want, like installing malware or stealing our crypto credentials directly.

How do we protect ourselves from such attacks?

Of course we should used strong passwords and don't use anything that can be guessed easily, like your birthdate, initials of your name. And when possible used a longer password at least 10 characters with combinations of symbols and numbers.

And this thread can help you out: [GUIDE] How to Create a Strong/Secure Password.


References: https://www.microsoft.com/security/blog/2020/04/23/protecting-organization-password-spray-attacks/
https://www.moqdigital.com/insights/password-spray-attacks
https://www.kaspersky.com/resource-center/definitions/brute-force-attack

[1714880908]

1714880908

[1714880908]

1714880908

[1714880908]

1714880908

[1714880908]

1714880908

[1714880908]

1714880908

[yazher]

I haven't heard about Password Spray Attack, maybe because they are not used often in this field. Can you please give us more enlightenment about this thing? for the brute force attack, I often heard it, and sometimes they are successful to hack some weak passwords accounts. As you can see, until now there still some users who don't use complex passwords for their accounts and used only single password for their multiple social medias accounts. In that case, they are often victim to brute force attacks especially when they used easy passwords to guess.

[OcTradism]

Thank you and welcome you and your thread to Good topics on security and privacy

[Becky666]

Password spray attack are on a rise because of thousands compromised services on internet, backed in 2019 there were over 7,808,519,176 credentials linked  and exposed which has given to the rise in spray attack and brute force attack among hackers. When confidential credentials compromised are all available on the internet, then don't expect this not to happen. Those that will be free from this plaque are those who will always choose a better password for different online websites, don't repeat passwords for any reason because they gat your credentials. The easiest attack.

[hugeblack]

How do these attacks affect crypto users? Even if the hacker knows the password, he still has to guess 2FA, which is relatively difficult.
Many of these attacks target social media platforms.
Brute force can be used to obtain the private key if you cannot find it but it all depends on your ability to keep your devices safe from viruses.

Password Spray Attack Less effective than Butre force.

[Shimmiry]

~

AFAIK this kind of threads that aren't sort of a guide and just plain information with anything that regards to any topic are often moved and best placed in Off-topic section.. I've also tried to post some Ethical Hacking informative thread^[1] back then  here in the Beginners and Help board but it was moved in the off topic as well.

[1] - https://bitcointalk.org/index.php?topic=5250120.msg54474039#msg54474039


With regards to the OP, password spray attack aren't often use as many servers and authenticating systems prefer only one request per IP/per second. Hence, simultaneous request often lead to either blocking your IP or just getting the first sprayed password. But still, it isn't often used due to its less possibility to hack accounts, and also there are no people that prefer multiple simultaneous account hacking as it would leave more traces back to  your IP.

[Smartvirus]

The password spray is quite new to me but logical enough as it helps the hackers to perform multiple guess of a single input at once and it saves them valuable time.
It's also not strange that most persons aren't comfortable with using complex password as they are scared of missing them at some point but it's also of note the damages that can be done if one hacker or scammer gets hold of our mails. As security systems can be much lose and broken off through our mails.
A lot of users use same password for varying accounts across various platforms. This also is a mistake as some platforms can be phishing oriented and with that, your not limited to phishing attacks.
Also, most users in the process of registration for some recruitment services make the mistake of logging their mails onto the personnels PC or input device to verify details and fails to log off. This is a rather very harmful attitude as you never can tell for which purpose it could be used in the later future.
Brute Force Attack uses social media as it's information domain as most users inputs their correct name and birth details as to align in case of KYC and maybe for the anniversary/wishes. It is advantageous as much at it is dangerous so, it's always best to have your password out of context from these circle.
Your mail could be a door way. Keep it safe.

[skarais]

Regardless of the type of attack used by hackers, I think it has a dangerous level for every user. It is possible that this spray attack is not effective enough to hack crypto, but it is possible that this attack could affect the security of forum accounts.
I believe many users create forum accounts using weak and easy passwords. This can increase the security risk of unsecured accounts such as 2FA / authenticator. What most forum users do to make their account safe and strong is create strong and strong password and sign bitcoin messages.

There is nothing wrong with worrying about something if it can make us safer. If our forum account, crypto assets and other valuable asset can be accessed via the internet, then security is of utmost importance.

[Capanatlax]

Yes have to multiple way for safe or protected any account.

1. Strong Password:
Number of time people preferring that Strong Password not be make easy password, Strong Password mean name, number, and numeric combination (Example now: Sro%ng97&58@#$%) Strong Password not be saved online store you can write multiple paper for safety purpose.

2. Google Authentication/2FA:
Google Authentication/2FA an other way to safe hacking attack authentication/2FA working for safe the account place (but required remember private/backup KEY).

3. Different type of password different place:
Different type of password using on different place so normally your one account hacked but others account safe make different account & different password.

4. Don't be installed virus,crack,unwanted app:
If you used installed virus,crack,unwanted app so that possible to attract on your devise carefully avoid  installed virus,crack,unwanted app basically paid app download free version third party website be careful.

In general, everyone says the above there may be many more ways to keep the account safe, You just have to be more discriminating with the help you render toward other people.

[hatshepsut93]

How do these attacks affect crypto users? Even if the hacker knows the password, he still has to guess 2FA, which is relatively difficult.
Many of these attacks target social media platforms.
Brute force can be used to obtain the private key if you cannot find it but it all depends on your ability to keep your devices safe from viruses.

Password Spray Attack Less effective than Butre force.

Not everyone has 2FA, and SMS 2FA can easily be bypassed. 2FA shouldn't make you think that you're now immune to hacks, all other security best practices still apply.

You actually can't bruteforce a private key, if the key was generated randomly. The only time when this happens if when users try to create a private key themselves, a so-called brainwallet - because humans are poor source of entropy, they can be cracked rather effectively.

[OcTradism]

Not everyone has 2FA, and SMS 2FA can easily be bypassed.

[BEWARE] Sim Port Attack. It is not only about SIM swap attacks but also about troubles when people can not receive SMS code when they need code for 2FA to log in accounts. Sometimes, SMS code is blocked by telecommunication companies or under new law enforcement from governments.

[Jating]

Just want to bump my thread, Microsoft upgrades password spray attack detection capabilities.

Microsoft has improved password spray detection in Azure Active Directory (Azure AD) by doubling the number of compromised accounts it detects using a new machine learning (ML) system.

"This new machine learning detection yields a 100 percent increase in recall, meaning it detects twice the number of compromised accounts of the previous algorithm," said Alex Weinert, Director of Identity Security at Microsoft.

[Jating]

Here is one example how this kind of attack can be used against us, Citrix's $2.3 million settlement offer for employees impacted by data breach approved.

he company said that the threat actors had "intermittent access" to corporate resources and that that password spraying was the likely method in which access to Citrix systems was obtained.

Password spraying takes advantage of weak credentials and is a common method to compromise both corporate and personal accounts.

And now they have to pay their employees $2.3 million for possible data theft because the hackers  remain undetected for five months in their system.