2025-08-04 –, Tuscany
As security personnel and blue teams continue to tighten controls around credential stuffing and password reuse detection, attackers continue to evolve. A new tactic that is becoming popular amongst attackers is the mass use of synthetic passwords—those are fabricated, non-reused credentials generated algorithmically (either with scripts or using AI) for botnets to evade traditional defenses. These aren't leaked passwords or user guesses; they're high-entropy, AI-shaped, or randomly generated inputs designed to pollute logs, obscure real attack traffic, and overwhelm detection systems.
In this talk, we explore the growing use of synthetic passwords in credential attacks, how they’re generated, and the strategic value they offer to adversaries. We'll examine real-world examples of botnet behavior showing this shift, and how synthetic inputs are being weaponized to bypass rate limits, defeat breach matching engines, and poison log files, SIEMs and other analysis engines.
A major advantage of using synthetic passwords in attacks is to increase and exploit analysis fatigue. Large password attempts that make their way into logs and analytics - but offer little value when analyzed - create unnecessary work, processing and diversion.
Attendees will gain insight into how to identify, profile, and defend against these noise-based attacks—using entropy analysis, anomaly scoring, and behavioral fingerprinting.
Dimitri Fousekis / Rurapenthe - has been in the security industry for over 20 years, and is the CTO of Bitcrack Cyber Security. Having enjoyed many years of Passwords, and password-related talks, Dimitri has a passion for deception based cyber security, as well as OSINT and cybersecurity intelligence. He has spoken at many conferences including BSidesLV, BSidesZA, PasswordsCon Cambridge & Vegas, BSides Athens and others.