User Enumeration vs Password Spraying

User Enumeration vs Password Spraying


What do you call a User Enumeration attack against a logon service (i.e. username + password)? Based on recent polling (Source_1, Source_2), it would appear our industry peers call this a password spray attack (by a 3-to-1 margin), despite the purpose clearly being for user enumeration. This article will explain why we are taking a minority view, while still recognizing the validity of our peers’ viewpoints, and incorporating them.

(more…)