Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

3.4.4. Password Attacks and Behavioral Indicators

šŸ’” First Principle: Password attacks target the most common authentication mechanism. Behavioral indicators are patterns that suggest compromise even when specific technical evidence isn't available. Together they represent the "last mile" of attack detection.

Password spraying tries a few common passwords against many accounts. Unlike brute-force (many passwords against one account), spraying avoids lockout thresholds by staying under the attempt limit per account. Indicators: low-volume login failures across many accounts simultaneously.

Credential stuffing uses breached username/password pairs from other sites, betting that users reuse passwords. Indicators: login attempts from unusual locations using valid credentials, automated login patterns. Defense against credential stuffing includes MFA (the stolen password alone isn't enough), rate limiting login attempts, and checking passwords against known-breached databases (like "Have I Been Pwned") during password creation to prevent users from choosing already-compromised passwords.

Dictionary attacks try words from a word list rather than every possible combination. Faster than brute-force but limited to common passwords.

Behavioral indicators of compromise:
  • Impossible travel ā€” user logs in from New York and ten minutes later from Tokyo. No physical travel explains the gap, indicating credential compromise.
  • Concurrent session usage ā€” same account active from multiple locations simultaneously, suggesting shared or stolen credentials.
  • Resource consumption anomalies ā€” unusual CPU/memory/network usage indicating cryptomining, data exfiltration, or malware activity.
  • Account lockout patterns ā€” repeated lockouts may indicate brute-force attempts or credential stuffing.
  • Blocked content attempts ā€” repeated attempts to access blocked resources suggest reconnaissance or policy testing.
  • Missing logs ā€” gaps in log data may indicate an attacker covering their tracks, which is itself a critical indicator.

āš ļø Exam Trap: Password spraying vs. brute force: spraying = few passwords, many accounts (horizontal). Brute force = many passwords, one account (vertical). Spraying evades account lockout. If the scenario describes "failed logins across 200 accounts using the same three passwords," that's password spraying.

Alvin Varughese
Written byAlvin Varughese
Founderā€¢15 professional certifications