CompTIA PenTest+ Practice Test

What attack method involves attempting to log in using many usernames with the same password?

• A. Password spraying
• B. Credential stuffing
• C. Brute-force attack
• D. Account enumeration

The correct answer is: Password spraying

Password spraying is a specific attack method that involves attempting to log in using a single common password across many different usernames. This technique takes advantage of the fact that users often choose weak or common passwords, and by targeting multiple accounts with the same password, the attacker minimizes the risk of being locked out due to failed logins. This approach is particularly effective because, unlike brute-force attacks where the attacker tries numerous passwords against a single account, password spraying is more subtle and can often bypass account lockout mechanisms that activate after a certain number of incorrect attempts. Since attackers rely on the probability that some users will have chosen easily guessable passwords, this method can yield successful logins across multiple accounts without triggering security defenses as quickly. Credential stuffing involves using stolen username-password pairs from one breach to try to access accounts on other services, which is different from password spraying's methodical approach. A brute-force attack typically attempts every possible password for a specific username, making it less efficient in scenarios where account lockout policies are in place. Account enumeration is a technique used to identify valid usernames by observing varying behavior of the application during login attempts but does not pertain directly to the login method portrayed in this question.