US Patent 11936664 Identity attack detection and blocking

Embodiments detect identity attacks by comparing usage of compromised passphrases or other weak credentials in failed sign-in attempts to access restriction conditions. A restriction threshold amount of weak credential failed sign-ins (WCFSI) or a WCFSI increase indicates an identity attack, such as a password spray attack. Going beyond the mere number of failed sign-ins by also considering credential strength allows embodiments to detect attacks sooner than other approaches. An embodiment may also initiate or impose defenses by locking accounts, blocking IP addresses, or requiring additional authentication before access to an account is allowed. Weak credentials may include short passwords, simple passwords, compromised passwords, or wrong usernames, for instance. Password strength testing may be used for attack detection in addition to preventive use on passwords proposed by authorized users. Familiar and unfamiliar traffic source locations may be tracked, as sets or individually.