There are several moving parts to Password Spraying, at its core it's designed to work around accounts being locked and to try and work under the radar. let's have a look at this technique and try and understand how it works and ways to beat it.
There are a few moving parts to how this works so let's get to it.
Most systems you use online will require a username and a password, and typically if you enter the wrong password 3 times your then locked out for a period of time. And when your account keeps getting locked you start to notice very quickly.
The timeout is designed to slow things down, so a brute force attack will take much longer.
Data Leaks and System Compromises
The number of times account details are leaked is shocking, it happens in all sorts of ways what matters here is that all of a sudden the hacker has access to a big list of real accounts.
Here were not to interested in the password, that's a different thing.. and your totally at the mercy of how the password is stored.
The number of people that use the same password is shocking, It's a generalisation but thinking up passwords is HARD So the same ones tend to float to the surface like “password” (really)
If the system in question needs a number … you can bet there will be a 1 on the end. a capital - It's nearly always the first letter. Some people use substitutions, let's go for S3cur3 … $ for s, 3 for e, 0 for O, 1 for i .. Hackers know them as well.
If the attacker used Brute Force, all these variants are worked out automatically ahead of time, e.g. “password”, “Password”, “Pa$sword”, “pa$$word” etc. I've seen this attack used within a company.. in less than a minute about ⅓rd of the passwords were exposed including the domain admins.