Episode 44 — Credential Attacks: Password Spraying, Brute Force, User Enumeration, and MFA Bypass
In this episode, we look at credential attacks, which are attempts to misuse the information and trust that prove who someone is. A credential might be a password, a passphrase, a one-time code, a session token, or another piece of information tied to access. These attacks matter because many security systems begin with identity. If an attacker can sign in as a real user, the activity may look more legitimate than a noisy technical exploit. The attacker may not need to break a server or exploit an application flaw if they can simply walk through the front door using a valid account. That is why credential attacks are so common and so dangerous. You want to recognize how these attacks differ, how they appear in logs and alerts, and why speed, volume, account lockouts, and Multi-Factor Authentication (M F A) behavior can reveal what is happening.
Before we continue, a quick note. This audio course is part of our companion study series. The first book is a detailed study guide that explains the exam and helps you prepare for it with confidence. The second is a Kindle-only eBook with one thousand flashcards you can use on your mobile device or Kindle for quick review. You can find both at Cyber Author dot me in the Bare Metal Study Guides series.
Password spraying is a credential attack where the attacker tries one or a small number of common passwords across many accounts. Instead of hammering one account with many guesses, the attacker spreads the guesses out. The goal is to avoid account lockout rules that might trigger after several failed attempts against the same user. A password spraying attack might try a seasonal password, a company name with a number, a common welcome password, or a password pattern people are likely to use. It is dangerous because only one weak password may be enough for the attacker to gain a foothold. The attack can be slower and less obvious than a direct brute force attempt. You may see a small number of failures across many accounts, often from the same source, region, device pattern, or automation service. The pattern across users is often more important than any single failed login.
Brute force is more direct. In a brute force attack, the attacker tries many possible passwords against an account or service until one works or the attempt is stopped. The guesses may come from a list of common passwords, leaked passwords, or generated combinations. Brute force is usually louder than password spraying because it produces many failures quickly. If account lockout is enabled, the targeted account may lock after too many failed attempts. That lockout can frustrate the attacker, but it can also disrupt the real user. Brute force indicators often include a high number of failed attempts against one account, repeated attempts from one source, or repeated attempts spread across many sources in a coordinated way. The speed of the attempts matters. A human mistyping a password a few times looks different from hundreds or thousands of automated guesses arriving in a short period.
The difference between password spraying and brute force is important because they create different visibility patterns. Password spraying is broad and shallow, while brute force is often narrow and deep. Broad and shallow means many accounts receive only a few guesses each. Narrow and deep means one account receives many guesses. Password spraying is designed to stay under lockout thresholds, so you may not see many locked accounts at first. Brute force often triggers lockouts, rate limits, and obvious failure spikes. From a defender’s point of view, password spraying may require looking across the whole organization rather than only one user. Brute force may stand out when one account suddenly has far more failures than normal. Both attacks are trying to solve the same problem for the attacker. They want valid credentials, but they choose different speeds and shapes to get there.
User enumeration is an attack technique used to discover which usernames or accounts are valid. An attacker may test login pages, password reset pages, registration forms, or authentication responses to see whether the system reveals too much. If one response says an account does not exist and another says the password is wrong, the attacker has learned that the second username is real. Even timing differences, error wording, or behavior changes can provide clues. User enumeration matters because a list of valid accounts makes later attacks easier. Password spraying becomes more efficient when the attacker already knows which usernames work. Phishing can become more believable when the attacker knows real names and email addresses. Indicators may include many attempts against different usernames, repeated password reset checks, strange registration attempts, or authentication failures where the password does not matter because the attacker is mainly testing account existence.
A username can seem harmless, but it can become valuable when it is combined with other information. Many organizations use predictable naming patterns, such as first initial and last name, or first name dot last name. Attackers may build possible usernames from public websites, social media, conference pages, breach data, or employee directories. Then they test which guesses are valid. You may see this activity as a large number of login attempts against names that almost look right. Some may be real, some may be old, and some may never have existed. A strong identity system should avoid giving attackers clear answers about which accounts are valid, but the behavior still leaves patterns. If many nonexistent usernames are tested in sequence, or if password reset requests appear for accounts that were never active, the attacker may be mapping the identity surface before launching a larger credential attack.
Replay attacks can also involve credentials, but the idea is different from guessing a password. In a replay attack, an attacker captures something that was valid and tries to reuse it. That something might be an authentication message, a session token, a one-time code used too late in the process, or another proof that the system accepts as evidence of identity. The attacker is not necessarily trying to learn the password. They are trying to reuse trust that already existed. This can be especially dangerous when the reused item is accepted without enough freshness checks, expiration, or binding to a specific device or session. Indicators may include the same authentication material appearing more than once, a session continuing from an unexpected location, a repeated request that should have been single-use, or account activity that resumes without a normal sign-in pattern. Replay is about copying access rather than guessing it.
Credential replay is common when attackers use passwords exposed in breaches from other services. This is often called credential stuffing, where an attacker takes known username and password pairs and tries them on a different site or application. The attacker knows many people reuse passwords, so a password stolen from one service may unlock another. This can look different from pure brute force because the attacker is not trying random guesses. They are testing real credential pairs from previous compromises. The success rate may be low, but the volume can be high. Detection patterns may include many login attempts across many accounts, attempts from automation infrastructure, unusual user agents, and successful logins for users who had no recent activity. The account lockout behavior can vary. If each account is tried only once or twice, lockouts may not occur, even though the campaign is large and dangerous.
M F A bypass is a set of techniques attackers use to get around the extra verification step that should protect an account after the password. M F A is valuable because a stolen password alone should not be enough. The attacker needs another factor, such as a code, approval, hardware key, device, or biometric check. Bypass attempts happen when attackers trick the user, steal a token, intercept a code, exploit weak recovery processes, or abuse a trusted session. One common pattern is push fatigue, where the attacker repeatedly triggers approval prompts and hopes the user eventually taps approve just to make the interruptions stop. Another pattern is a fake sign-in page that collects both the password and the one-time code. Indicators may include repeated M F A prompts, approvals from unfamiliar locations, successful sign-ins right after phishing activity, or changes to authentication methods shortly after account access.
M F A bypass can also involve social engineering against help desks or account recovery processes. An attacker may claim to have lost a phone, changed devices, or been locked out at a critical moment. If the recovery process is weak, the attacker may convince someone to reset M F A, add a new factor, or approve access without enough identity proof. This type of attack can be quieter than repeated login failures because the attacker is not only fighting technology. They are trying to manipulate the support process around the technology. Indicators may include unusual recovery requests, new devices registered soon after a password reset, authentication factors added outside normal business patterns, or a user reporting that they did not request a change. M F A is strongest when the surrounding processes are strong too. A secure factor can be weakened by a careless exception.
Speed is one of the first clues that helps separate credential attack types. A brute force attack may be fast because the attacker is testing many guesses quickly. Password spraying is usually slower because the attacker wants to avoid lockouts and attention. Credential stuffing can be fast at the campaign level but may touch each account only a small number of times. User enumeration may appear as steady probing rather than direct password guessing. Replay may appear suddenly, because the attacker already has something usable and is trying to make it work before it expires. M F A bypass may be tied to the timing of a phishing page, a user approval, or a recovery request. When you look at authentication activity, do not only ask whether a login failed or succeeded. Ask how fast the attempts happened, how widely they spread, and whether the timing fits normal human behavior.
Visibility also differs across these attacks. Brute force is often obvious because failures pile up against one account or service. Password spraying can be harder to notice because each user may only have one or two failures. User enumeration may appear as strange account lookup behavior rather than normal sign-in attempts. Replay may be visible in session logs, token use, device changes, or impossible travel patterns rather than password failures. M F A bypass may be visible in prompts, approvals, factor changes, or suspicious recovery events. This is why identity monitoring should not focus only on failed passwords. A successful login can be suspicious if the context is wrong. A failed login can be harmless if it is just a typo. The pattern becomes clearer when you connect account, device, location, time, application, M F A status, and what happened after authentication.
Account lockout behavior can tell you a lot about what the attacker is trying to avoid or trigger. In brute force, lockouts are common because many guesses hit the same account. In password spraying, the attacker often stays below the lockout threshold by spreading attempts across many accounts. In credential stuffing, lockouts may be inconsistent because the attacker may try only a few known password pairs per account. In user enumeration, lockouts may not happen at all if the attacker is not focused on password guessing. M F A bypass may occur after the password is already known, so the failed event may appear at the second factor instead of the first. Lockouts are useful alerts, but their absence does not mean there is no attack. Some of the most careful credential attacks are designed specifically to avoid creating the lockout pattern you might expect.
Detection patterns become stronger when they describe behavior instead of isolated events. Many failed logins from one source may suggest brute force. One failed login across many accounts from the same source may suggest password spraying. Many attempts against invalid usernames may suggest enumeration. Successful logins using credentials associated with previous breaches may suggest credential stuffing. Reused session material, strange token behavior, or access without a normal login sequence may suggest replay. Repeated M F A prompts, approvals from unusual places, or sudden factor changes may suggest bypass. You should also look at what happens after a successful login. Attackers often check mail, create forwarding rules, download files, register new devices, change recovery information, or access applications the user does not normally use. The login is only the door opening. The actions after the door opens often reveal the real intent.
Credential attacks are dangerous because they blur the line between an attacker and a real user. Password spraying looks for one weak password across many accounts. Brute force pounds away with many guesses. User enumeration helps attackers learn which accounts are worth targeting. Replay reuses something that was already trusted. Credential stuffing tests known username and password pairs from other compromises. M F A bypass tries to defeat the extra check that should stop a stolen password from becoming a full compromise. Each attack has a different shape, speed, visibility level, lockout pattern, and detection trail. When you study these attacks, keep the larger idea in view. Identity is one of the main control points in modern security, so attackers spend a lot of effort trying to misuse it. If you can read the signs in authentication behavior, you can spot trouble before a single stolen account becomes a much larger incident.
