jsoverson
commented
4 years ago Here's the twitter conversation that motivated this: https://twitter.com/jsoverson/status/1219644499154100225
Open jsoverson opened 4 years ago
jsoverson
commented
4 years ago Here's the twitter conversation that motivated this: https://twitter.com/jsoverson/status/1219644499154100225
cw-owasp
commented
4 years ago Thank you, we try to document these in the section “ Other Names and Examples” section, but I see OAT007 is missing this text in the html page on the new site. I will get this corrected and look to extend and update these in the next version.
"Password spraying" - testing a list of credentials for a known account - is a subset of credential cracking but the term is getting increased global coverage (ACSC, Mitre, ArsTechnica). Google trends shows that password spraying captures far more searches than credential cracking.
"Password replay", "credential replay", and "password reuse attacks" have all been used to refer to credential stuffing (NCSC, Krebs, 1password). Credential stuffing is the more popular term but the others keep popping up.
The differences, if there are any, across these terms is confusing. There isn't a central location that captures the relationships and readers are left googling terms that net poor results.
Including terms that become common in popular usage will also help drive OWASP awareness.