Executive Summary
Applications that store user passwords in plaintext β also referred to as storing credentials "in the clear" β represent the most severe category of authentication vulnerability. Any party who gains access to the password file or database immediately possesses every user credential in fully readable form. No decryption, cracking, or computation is required. The exposure is total and instantaneous.
While increasingly rare in modern software, plaintext storage persists in legacy systems and poorly designed applications. The only viable remediation is replacement or complete redesign β partial fixes do not address the root architectural flaw.
Vulnerability Characteristics
| Attribute | Detail |
|---|---|
| Storage form | Raw password text β identical to what the user types; no transformation applied |
| Access requirement | Read access to the password file or database table β no cryptographic capability needed |
| Time to exploit | Immediate β no computation; credentials are directly readable |
| Scope of exposure | 100% of user accounts affected by a single file access event |
| Detection difficulty | High β reading a database file generates no authentication events or alerts |
| Prevalence | Rare in modern systems; present in legacy applications and poorly maintained codebases |
Attack Scenario
An attacker exploits a SQL injection vulnerability in a legacy web application and extracts the users table from the application database. In systems using plaintext storage, the result is a direct credential dump:
The attacker now holds every account credential without any further processing. Credentials can be used immediately for direct access, sold, or used in credential stuffing attacks against other services where users have reused the same password.
Contrast: Hashed Storage
In a correctly designed system, the same SQL injection would yield only hash values β fixed-length strings that cannot be reversed to recover the original password. The attacker would still need to invest significant computational resources to crack each hash individually, and strong hash algorithms with salting would make this computationally infeasible for complex passwords.
The hash reveals nothing about the original password. This one-way transformation β called a message digest or fingerprint β is the minimum acceptable storage mechanism.
Remediation
| Action | Priority | Notes |
|---|---|---|
| Replace the application with one that uses hashed password storage | Immediate | Plaintext storage cannot be patched β it requires architectural change |
| Force all users to reset passwords after migration | Immediate | Assume all existing credentials are compromised |
| Use a strong, salted hashing algorithm (bcrypt, Argon2, or SHA-256 with salt) | High | Salting prevents rainbow table attacks; algorithm choice affects offline cracking speed |
| Notify users of the exposure and advise password changes on other services | High | Credential reuse makes this breach a risk beyond the compromised application |
Executive Summary
Password spraying is an authentication attack that inverts the typical brute force approach. Rather than attempting many passwords against one account β which triggers lockout policies β the attacker attempts a small number of highly common passwords across a large number of accounts. By staying below the lockout threshold on each individual account, the attack proceeds without triggering account lockouts, security alerts, or intrusion detection events.
The attack exploits a persistent behavioral reality: despite widespread awareness, a significant percentage of users in any large organization will have set one of the top five most common passwords. Spraying finds those accounts.
Attack Mechanics
| Attribute | Traditional Brute Force | Password Spraying |
|---|---|---|
| Target per attempt | One account, many passwords | Many accounts, one (or few) passwords |
| Lockout risk | High β exceeds threshold quickly on target account | Low β stays at 1β3 attempts per account |
| Alert generation | High β repeated failures on one account | Low β failures distributed across many accounts |
| Requires on-path position | No | No |
| Success condition | Target account has a guessable password | Any account in the population uses a common password |
| Scale advantage | None | Larger user population = higher probability of success |
Common Passwords Targeted
Spraying attacks focus on the statistically most common passwords. The following five passwords consistently rank as the most commonly used worldwide according to breach analysis data:
| Rank | Password | Why It Persists |
|---|---|---|
| 1 | 123456 | Minimum length, sequential keystrokes β easiest to type |
| 2 | 123456789 | Longer sequential pattern β meets length requirements without complexity |
| 3 | qwerty | Keyboard row pattern β memorable, no cognitive load |
| 4 | password | Literally the word for the concept β default for many systems |
| 5 | 1234567 | Sequential variant β minimal variation of rank 1 |
Attack Execution Flow
Detection and Mitigation
| Control | Effectiveness | Notes |
|---|---|---|
| Multi-Factor Authentication (MFA) | Highest | A successful spray still cannot authenticate without the second factor; renders the captured password alone insufficient |
| Password policy enforcing complexity | High | Preventing common passwords at account creation eliminates the attack surface entirely; enforce with blocklist of known-common passwords |
| Distributed login failure monitoring | High | Alert on many accounts receiving failed logins with the same password within a time window β the spraying signature |
| Per-account lockout policy | Partial | Spraying is specifically designed to stay below this threshold; lockout alone is insufficient without MFA or monitoring |
Executive Summary
Brute force attacks systematically try every possible password combination until the correct one is found. Two fundamentally different variants exist: online brute force, which targets the live authentication endpoint and is severely constrained by lockout policies and network latency; and offline brute force, which operates against a downloaded copy of the hashed password database with no authentication system involvement, no lockout risk, and full access to GPU-scale computational resources.
Online brute force is largely mitigated by modern account lockout policies. Offline brute force is the operationally significant threat β it becomes possible the moment an attacker acquires the password hash file, and its effectiveness depends entirely on the strength of the hashing algorithm and whether salting was used.
Online vs Offline β Comparison
| Attribute | Online Brute Force | Offline Brute Force |
|---|---|---|
| Target | Live authentication endpoint (login page, API) | Downloaded password hash file |
| Network required during attack | Yes β each attempt requires a network request | No β all computation is local |
| Speed | Very slow β limited by network round-trip time | Very fast β GPU can compute billions of hashes per second |
| Lockout risk | High β N failed attempts triggers lockout | None β the authentication system is not involved |
| Alert generation | High β repeated failed logins are logged | None during cracking β alert only on original file acquisition |
| Prerequisite | Reachable authentication endpoint | Acquisition of the password hash file (DB breach, insider, etc.) |
| Severity | High (if lockout absent) | Critical β complete offline cracking campaign |
Offline Brute Force β Process Detail
Once an attacker has obtained the password hash file β typically a table of usernames paired with hashed credentials β the cracking process operates independently of the victim system:
alice : 5d41402abc4b2a76b9719d911017c592Password File Structure
The specific format of password files varies by operating system and application, but the attack model is consistent: the file contains usernames paired with hashed passwords. Obtaining this file is the prerequisite for offline brute force.
| Platform / Application | File / Location | Hash Algorithm (typical) |
|---|---|---|
| Linux | /etc/shadow (readable only by root) | SHA-512 (modern), MD5 (legacy) |
| Windows | SAM database / NTDS.dit (Active Directory) | NTLM hash |
| Web applications | Database users table | Varies β bcrypt (good), MD5 (broken), plaintext (critical) |
Defenses by Attack Type
| Defense | Addresses | Mechanism |
|---|---|---|
| Account lockout policy | Online brute force | Lock account after N consecutive failed attempts β rate-limits the attack to below one attempt per unlock cycle |
| Strong, slow hashing (bcrypt, Argon2) | Offline brute force | Increases per-attempt computation time from microseconds to hundreds of milliseconds β makes a full keyspace search infeasible even with GPU clusters |
| Password salting | Offline brute force (rainbow tables) | Unique random value added per password before hashing β prevents precomputed lookup tables; forces per-password cracking effort |
| Multi-Factor Authentication (MFA) | Both | Even a successfully cracked password cannot authenticate alone; requires a second factor not present in the hash file |
| Strong password policy | Both | Longer passwords with high character-set entropy increase the keyspace β extends offline cracking time from hours to centuries |
| Monitoring and logging | Online brute force | Detects repeated failed login attempts; triggers alerts or auto-lockout before threshold is reached |