Password Attack Indicators (Domain 2)
In this episode, we are focusing on indicators of password-based attacks, specifically password spraying and brute force attempts. These attacks are among the oldest and most common tactics used by threat actors because so many systems still rely heavily on password authentication. The good news is that with proper monitoring and layered defenses, these attacks can be quickly detected and stopped.
Let’s begin with password spraying. This technique is different from traditional brute force in a very important way. In a brute force attack, the attacker targets one account and tries many passwords. But in a password spraying attack, the attacker flips that method—trying one or two common passwords across many accounts. This makes the attack harder to detect and less likely to trigger account lockouts.
Typical targets for password spraying include corporate logins, email portals, and remote access systems. Attackers often use passwords like “Welcome one two three,” “Password exclamation point,” or season-based passwords like “Summer two zero two four.” These are common choices that users often adopt—and attackers know this.
Indicators of password spraying include multiple account lockouts across the organization, especially around the same time. You might also see login attempts from a single IP address targeting many different usernames. Failed authentication attempts spread across dozens or hundreds of accounts—rather than repeated failures on a single one—are another red flag.
To detect password spraying, organizations should monitor authentication logs closely. Logs from directory services, cloud identity providers, and remote access systems should be reviewed for failed logins, especially when those failures follow a common pattern. Security information and event management systems can help by correlating these attempts and alerting administrators when spraying behavior is detected.
To defend against password spraying, use multi-factor authentication wherever possible. This breaks the attack even if the password is guessed. Implement account lockout thresholds or temporary login delays after repeated failures. Monitor for and block known malicious IP addresses, and ensure users are not allowed to choose passwords from commonly used lists.
Now let’s turn to brute force attacks. In this method, the attacker selects a single account and systematically tries many possible passwords until one works. This may involve guessing based on personal information or using automated tools that run through large password dictionaries at high speed.
Brute force attacks can be very noisy. You’ll often see a high volume of failed login attempts against a specific account, sometimes at machine speed. If the system has lockout policies in place, the account may lock repeatedly. If there are no lockout protections, the attacker may eventually succeed and gain access.
Indicators of brute force attacks include excessive failed logins on a single account, repeated login attempts from a single IP address, or multiple lockouts followed by successful access. You might also detect rapid-fire login attempts that don’t match human typing speed.
To defend against brute force attacks, start by enforcing strong password policies. Passwords should be complex, long, and unique across systems. Limit the number of failed login attempts allowed before locking or delaying access. Rate limiting is especially effective—it slows down login requests after a threshold is reached, making brute force attacks impractical.
Enable logging for all authentication events and regularly review these logs for anomalies. Systems should alert administrators when an account experiences an unusual number of failed attempts. And of course, multi-factor authentication significantly raises the bar. Even if the attacker finds the right password, they still need access to the second factor, which is typically a mobile app, hardware token, or biometric verification.
As you prepare for the Security Plus exam, know how to differentiate between password spraying and brute force attacks. Password spraying targets many accounts with a few passwords. Brute force targets one account with many passwords. Both attacks leave distinct patterns in authentication logs and can be stopped with smart configuration and layered defenses. You may be asked to identify these attacks based on log descriptions or to recommend ways to reduce exposure through policy and technology.
