Using Hydra to Spray User Passwords
How attackers bypass account lockout when brute-forcing passwords
Have you heard of a password brute-force attack? A brute-force attack is when attackers try to hack into a single account by guessing its password.
Let’s say an attacker is trying to hack the account of the user “Vickie”. The attacker will first generate a password list to use. She can either use a dictionary of common passwords she found online, or a list of likely passwords generated based on her knowledge of the user. Then, the attacker uses a script to rapidly fire off login attempts to the service. She tries to log into the service with the username “Vickie” and different passwords until she finds the correct one.
But modern applications are getting smarter. The majority of web applications now implements account lockout policies. If the application detects that an account has had a few failed login attempts in a short timeframe, the application will block the account from further logins. The application will often also notify the user of the failed login attempts or alert the system admins.
This means that traditional brute-force attacks are no longer feasible for a majority of applications. To avoid account lockouts, attackers will have to space out their password guesses. This makes…
