Chapter 53 Β· Advisory Report

Password Attacks

Threat intelligence advisories covering plaintext credential storage, password spraying, and brute force attacks.

PASSWD-2024-001 Β· Credential Storage Assessment Plaintext Password Storage β€” Immediate Exposure of All Credentials
Critical

Executive Summary

Applications that store user passwords in plaintext β€” also referred to as storing credentials "in the clear" β€” represent the most severe category of authentication vulnerability. Any party who gains access to the password file or database immediately possesses every user credential in fully readable form. No decryption, cracking, or computation is required. The exposure is total and instantaneous.

While increasingly rare in modern software, plaintext storage persists in legacy systems and poorly designed applications. The only viable remediation is replacement or complete redesign β€” partial fixes do not address the root architectural flaw.

Vulnerability Characteristics

AttributeDetail
Storage formRaw password text β€” identical to what the user types; no transformation applied
Access requirementRead access to the password file or database table β€” no cryptographic capability needed
Time to exploitImmediate β€” no computation; credentials are directly readable
Scope of exposure100% of user accounts affected by a single file access event
Detection difficultyHigh β€” reading a database file generates no authentication events or alerts
PrevalenceRare in modern systems; present in legacy applications and poorly maintained codebases

Attack Scenario

An attacker exploits a SQL injection vulnerability in a legacy web application and extracts the users table from the application database. In systems using plaintext storage, the result is a direct credential dump:

Extracted row (plaintext): username: alice | password: Sunflower2019 | email: alice@corp.com
Extracted row (plaintext): username: bob | password: qwerty123 | email: bob@corp.com

The attacker now holds every account credential without any further processing. Credentials can be used immediately for direct access, sold, or used in credential stuffing attacks against other services where users have reused the same password.

Contrast: Hashed Storage

In a correctly designed system, the same SQL injection would yield only hash values β€” fixed-length strings that cannot be reversed to recover the original password. The attacker would still need to invest significant computational resources to crack each hash individually, and strong hash algorithms with salting would make this computationally infeasible for complex passwords.

Hashed row (SHA-256): username: alice | password_hash: 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918

The hash reveals nothing about the original password. This one-way transformation β€” called a message digest or fingerprint β€” is the minimum acceptable storage mechanism.

Remediation

ActionPriorityNotes
Replace the application with one that uses hashed password storageImmediatePlaintext storage cannot be patched β€” it requires architectural change
Force all users to reset passwords after migrationImmediateAssume all existing credentials are compromised
Use a strong, salted hashing algorithm (bcrypt, Argon2, or SHA-256 with salt)HighSalting prevents rainbow table attacks; algorithm choice affects offline cracking speed
Notify users of the exposure and advise password changes on other servicesHighCredential reuse makes this breach a risk beyond the compromised application
PASSWD-2024-002 Β· Authentication Attack Analysis Password Spraying β€” Lockout Evasion via Low-Rate Distributed Credential Testing
High

Executive Summary

Password spraying is an authentication attack that inverts the typical brute force approach. Rather than attempting many passwords against one account β€” which triggers lockout policies β€” the attacker attempts a small number of highly common passwords across a large number of accounts. By staying below the lockout threshold on each individual account, the attack proceeds without triggering account lockouts, security alerts, or intrusion detection events.

The attack exploits a persistent behavioral reality: despite widespread awareness, a significant percentage of users in any large organization will have set one of the top five most common passwords. Spraying finds those accounts.

Attack Mechanics

AttributeTraditional Brute ForcePassword Spraying
Target per attemptOne account, many passwordsMany accounts, one (or few) passwords
Lockout riskHigh β€” exceeds threshold quickly on target accountLow β€” stays at 1–3 attempts per account
Alert generationHigh β€” repeated failures on one accountLow β€” failures distributed across many accounts
Requires on-path positionNoNo
Success conditionTarget account has a guessable passwordAny account in the population uses a common password
Scale advantageNoneLarger user population = higher probability of success

Common Passwords Targeted

Spraying attacks focus on the statistically most common passwords. The following five passwords consistently rank as the most commonly used worldwide according to breach analysis data:

RankPasswordWhy It Persists
1123456Minimum length, sequential keystrokes β€” easiest to type
2123456789Longer sequential pattern β€” meets length requirements without complexity
3qwertyKeyboard row pattern β€” memorable, no cognitive load
4passwordLiterally the word for the concept β€” default for many systems
51234567Sequential variant β€” minimal variation of rank 1

Attack Execution Flow

Step 1 β€” Enumerate accounts: Attacker obtains a list of valid usernames (via LDAP enumeration, email harvesting, or public directory)
Step 2 β€” Select spray password: Choose "123456" as the first attempt β€” highest statistical probability of success
Step 3 β€” Test account 1: Submit username=alice, password=123456 β†’ Login failed β†’ move on (1 of N attempts used on alice)
Step 4 β€” Test account 2–N: Repeat for every account on the list with password "123456" β€” no account reaches its lockout threshold
Step 5 β€” Rotate password: Begin second pass with "password" β€” again across all accounts β€” still no lockouts if threshold is 5+
Step 6 β€” Hit: account user_8471 with password "123456" returns successful authentication β€” attacker has access

Detection and Mitigation

ControlEffectivenessNotes
Multi-Factor Authentication (MFA)HighestA successful spray still cannot authenticate without the second factor; renders the captured password alone insufficient
Password policy enforcing complexityHighPreventing common passwords at account creation eliminates the attack surface entirely; enforce with blocklist of known-common passwords
Distributed login failure monitoringHighAlert on many accounts receiving failed logins with the same password within a time window β€” the spraying signature
Per-account lockout policyPartialSpraying is specifically designed to stay below this threshold; lockout alone is insufficient without MFA or monitoring
PASSWD-2024-003 Β· Credential Cracking Analysis Brute Force Attacks β€” Online Authentication Testing and Offline Hash Cracking
High / Critical

Executive Summary

Brute force attacks systematically try every possible password combination until the correct one is found. Two fundamentally different variants exist: online brute force, which targets the live authentication endpoint and is severely constrained by lockout policies and network latency; and offline brute force, which operates against a downloaded copy of the hashed password database with no authentication system involvement, no lockout risk, and full access to GPU-scale computational resources.

Online brute force is largely mitigated by modern account lockout policies. Offline brute force is the operationally significant threat β€” it becomes possible the moment an attacker acquires the password hash file, and its effectiveness depends entirely on the strength of the hashing algorithm and whether salting was used.

Online vs Offline β€” Comparison

AttributeOnline Brute ForceOffline Brute Force
TargetLive authentication endpoint (login page, API)Downloaded password hash file
Network required during attackYes β€” each attempt requires a network requestNo β€” all computation is local
SpeedVery slow β€” limited by network round-trip timeVery fast β€” GPU can compute billions of hashes per second
Lockout riskHigh β€” N failed attempts triggers lockoutNone β€” the authentication system is not involved
Alert generationHigh β€” repeated failed logins are loggedNone during cracking β€” alert only on original file acquisition
PrerequisiteReachable authentication endpointAcquisition of the password hash file (DB breach, insider, etc.)
SeverityHigh (if lockout absent)Critical β€” complete offline cracking campaign

Offline Brute Force β€” Process Detail

Once an attacker has obtained the password hash file β€” typically a table of usernames paired with hashed credentials β€” the cracking process operates independently of the victim system:

Step 1 β€” Acquire hash file: Attacker exfiltrates the password database (e.g., via SQL injection, insider access, or backup file exposure). Typical content: alice : 5d41402abc4b2a76b9719d911017c592
Step 2 β€” Begin iteration: Compute hash("aaaaa") β†’ compare to stored hash β†’ no match β†’ proceed
Step 3 β€” Continue: Compute hash("aaaab") β†’ compare β†’ no match β†’ compute hash("aaaac") β†’ ... continue through entire character space
Step 4 β€” Match found: Eventually hash("password") matches the stored value β†’ original password recovered. No login attempt was ever made against the live system.
Step 5 β€” Scale: GPU clusters can compute hundreds of billions of MD5 hashes per second; SHA-256 is slower; bcrypt/Argon2 are designed to be orders of magnitude slower still

Password File Structure

The specific format of password files varies by operating system and application, but the attack model is consistent: the file contains usernames paired with hashed passwords. Obtaining this file is the prerequisite for offline brute force.

Platform / ApplicationFile / LocationHash Algorithm (typical)
Linux/etc/shadow (readable only by root)SHA-512 (modern), MD5 (legacy)
WindowsSAM database / NTDS.dit (Active Directory)NTLM hash
Web applicationsDatabase users tableVaries β€” bcrypt (good), MD5 (broken), plaintext (critical)

Defenses by Attack Type

DefenseAddressesMechanism
Account lockout policyOnline brute forceLock account after N consecutive failed attempts β€” rate-limits the attack to below one attempt per unlock cycle
Strong, slow hashing (bcrypt, Argon2)Offline brute forceIncreases per-attempt computation time from microseconds to hundreds of milliseconds β€” makes a full keyspace search infeasible even with GPU clusters
Password saltingOffline brute force (rainbow tables)Unique random value added per password before hashing β€” prevents precomputed lookup tables; forces per-password cracking effort
Multi-Factor Authentication (MFA)BothEven a successfully cracked password cannot authenticate alone; requires a second factor not present in the hash file
Strong password policyBothLonger passwords with high character-set entropy increase the keyspace β€” extends offline cracking time from hours to centuries
Monitoring and loggingOnline brute forceDetects repeated failed login attempts; triggers alerts or auto-lockout before threshold is reached