chort ↙️↙️↙️ on Nostr: It may seem stupid, but password spraying (and credential stuffing) are a massive ...
It may seem stupid, but password spraying (and credential stuffing) are a massive threat.
SaaS providers and SaaS customers are sleeping on this issue. You might think password complexity will prevent this, but (LOL) no.
Attackers have access to huge botnets, or hundreds of cloud VMs. They have access to enormous residential proxy networks. It is absolutely possible to make hundreds of guesses for every one of your users per day for weeks until they get a match. Credential stuffing is even easier, since password reuse is so common.
You might also think that MFA would prevent this, but that's only true of phishing-resistant MFA. Once the attacker verifies working passwords, they can MFA fatigue bomb with push requests, or otherwise socially engineer those users.
Also the burden shouldn't be entirely on the customer. Every SaaS provider should treat this as a top tier threat and they should have automated systems to detect and block credential attacks, and they should all support adding multiple phishing-resistant authenticators to accounts, and require MFA by default.
SaaS providers and SaaS customers are sleeping on this issue. You might think password complexity will prevent this, but (LOL) no.
Attackers have access to huge botnets, or hundreds of cloud VMs. They have access to enormous residential proxy networks. It is absolutely possible to make hundreds of guesses for every one of your users per day for weeks until they get a match. Credential stuffing is even easier, since password reuse is so common.
You might also think that MFA would prevent this, but that's only true of phishing-resistant MFA. Once the attacker verifies working passwords, they can MFA fatigue bomb with push requests, or otherwise socially engineer those users.
Also the burden shouldn't be entirely on the customer. Every SaaS provider should treat this as a top tier threat and they should have automated systems to detect and block credential attacks, and they should all support adding multiple phishing-resistant authenticators to accounts, and require MFA by default.