Comment by Liftyee - Hacker Neue

Liftyee Mar 31, 2025 parent

From a non cybersec background, I'm surprised that attackers even bother trying these attacks where each account only gets 2 attempts. To me, the probability of getting a hit feels incredibly, unworkably low, unless there are lots of common passwords being used.

I guess it's like most/all attacks under this category - the high potential payoff on success and near-zero cost to execute keep the EV positive.

InitialBP Mar 31, 2025

I'm a former red teamer - Credential spraying attacks are incredibly successful on a business that has at least a few hundred employees. Many employees not only aren't aware of why cybersecurity is important, but often go out of their way to avoid learning or implementing security best practices because they see it as an annoyance and a hindrance.

One of our most standard and most successful playbooks to find a foothold:

1. Pull employee names from linkedin

2. Find an example email for format (first.last@company.com)

3. Setup password spraying for a password like: Spring2025!

4. Leverage a tool like https://github.com/ustayready/CredKing to avoid IP blocking.

5. Get credentials and go from there...

arcbyte Mar 31, 2025

It seems like all the corporations that still ignore NIST best practices and require password changes ever 60 days make this kind of attack much more likely to succeed.

GoblinSlayer Mar 31, 2025

I personally don't find password counting detrimental. What's detrimental is SSO system that conflates local access password with remote access password and then often asks this password. Or has some kind of a dumb rule like "lock the machine after 10 minutes of inactivity and ask the remote password to be typed right on keyboard".

Spivak Mar 31, 2025

Yep! The quickest way to get your users to use incredibly weak passwords and make it so they must physically type it all the time. I can have a 32 character password is unmemorizable, untypable by mortals, and even having a screenshot of it revealed would be a challenge to decipher password for services exposed to the internet. But I need something I can memorize, type with just alphanumerics, and enter quickly for my lock screen.

ptsneves Mar 31, 2025

I havent been in a single company that does not force the rotation of passwords. I worked in 4 different F500 companies.

mjevans Mar 31, 2025

The company I _used_ to work at, I implemented exactly that policy and only required rotation after a password reset (like initial account assignment), and should it have ever happened, after any sign of account or credential breach.

I was so happy when NIST finally recognized that people aren't machines and can't perfectly remember a new strong password with high frequency.

robertlagrant Mar 31, 2025

Yes, that is nice. Sadly some people will say things like "HIPAA compliance requires password rotation", which is I'm pretty sure wrong, but it happens. Still, we're pushing the above NIST line as we're really keen on improving actual security, and it's nice that it has the force of NIST behind it now.

2 More Comments →

rwmj Mar 31, 2025

The company my wife uses for annual PCI-DSS recertification (a computer security / CC handling certification) requires that the password be changed every year. So that's once per login.

mr_mitm Mar 31, 2025

I agree that this recommendation is in general counter productive, but the correct solution here is for the corporation to require 2FA for all logins on the internet. There will always be users who choose bad passwords.

g-b-r Mar 31, 2025

If that's really the case it seems less bad to have the company provide unchangeable passwords... (if they're unable to switch to safer solutions)

SAI_Peregrinus Mar 31, 2025

Usually they're trying username/password combinations that they got from some other breach. They figure people often re-use passwords, so using the same username & password on multiple sites to try to log in often works. That's what a "password spraying" attack is. Even if a breach forces people to change a password they've used on one site they'll often not change it on other sites, so this still tends to work.

jsnell Mar 31, 2025

What you're describing is typically called credential stuffing.

Password spraying is a distinct form of brute-forcing, where there is no link between the password and the user, and the yield is coming from the password being common.

SAI_Peregrinus Apr 2, 2025

Right, I swapped them in my head. Thanks for the correction!

ajb Mar 31, 2025

Think about it this way: you are going to do N amount of work (password trials) either each against a different account, or all against the same account. Which is more likely to result in a break?

If you try against the same account, for each trial you gain a (very small) piece of information (that the account does not use that password) which you can use in later trials, which seems like an advantage over trials against different accounts, where you don't gain this information.

But we also know that there are a significant number of accounts using weak passwords. If you keep trying against the same account, you will try the weak (high probability) passwords first, but if they don't break the account then you will run out of those and have to try low probability ones. But if you try against different accounts, you can keep retesting the high probability passwords. So trying against a different account each time is almost certainly more efficient - as long as you don't care about which account you break.

SideburnsOfDoom Mar 31, 2025

> trials against different accounts, where you don't gain this information (that the account does not use that password)

I would think that you do gain this info, the question is whether you record it for later use, which seems possible. But the extra effort to do that is a downside.

The upside is of course that 1000 failed login attempts on 1 account is more likely to trigger alarms than 2 attempts on each of 500 accounts.

hansvm Mar 31, 2025

The success rate is also likely pretty high. You're not necessarily restricted to just the entropy of a single password, but depending on the attack vector it can be conditioned on also knowing the account owner's identity or username/email. Combine that property with the insane payoff of uncappable Azure access, and this starts to look more attractive.

ozim Mar 31, 2025

You are right, lots of people are under impression that there is a “dedicated attacker”.

The reality is there are loads of “opportunistic attackers”.

Then you also have to realize all is automated so there is no one hand picking stuff so basically harvesters running over those easy credentials. Successful ones are notified to the attackers. So running those harvesters is low effort and low investment - but even single one lucky hit can be a big payoff.

Then imagine big payoff for someone in 3rd world countries is $100.

williamscales Apr 1, 2025

I put up a bare metal server with a public IP for the first time in a long time and I was stunned by how many automated opportunistic attempts it got.

Makes sense, like you say.

This item has no comments currently.