Password spraying is a specific form of brute force attack that differs from traditional attacks by targeting multiple accounts with a single password attempt, rather than repeatedly attacking a single account with numerous passwords. Password spraying attacks are often effective because many users use simple and easy-to-guess passwords, such as “password” or “123456”. In many organisations, users are locked out after a certain number of failed login attempts. Because password spraying attacks involve trying one password against many accounts, they avoid the account lockouts that typically occur when brute forcing a single account with numerous passwords.
Password spraying can target millions of different users at once, rather than just one account. The process is often automated and can take place over time to evade detection.These attacks often take place where the application or admin within a particular organisation sets a default password for new users.
Single sign-on and cloud-based platforms can also prove particularly vulnerable. Although this type of attack may seem simple compared to other forms of cybercrime, it is commonly used even by advanced cybercriminal groups.
Password spraying attacks typically involve these steps:
To initiate a password spraying attack, cybercriminals often start by buying lists of usernames – lists which have been stolen from various organisations. It’s estimated that there are over 15 billion credentials for sale on the dark web.
Alternatively, cybercriminals may create their own list by following the formats that corporate email addresses follow – for example, firstname.lastname@companyname.com – and using a list of employees obtained from LinkedIn or other public information sources.
Cybercriminals sometimes target specific groups of employees—finance, administrators, or the C-suite – since targeted approaches can yield better results. They often target companies or epartments using single sign-on (SSO) or federated authentication protocols – that is, the ability to log in to Facebook with your Google credentials, for example – or that have not implemented multi-factor authentication.
Password spraying attacks incorporate lists of common or default passwords. It’s relatively straightforward to find out what the most common passwords are – various reports or studies publish them each year, and Wikipedia even has a page which lists the most common 10,000 passwords. Cybercriminals may also do their own research to guess passwords – for example, by using the name of sports teams or prominent landmarks local to a targeted organisation.
Once the cybercriminal has a list of usernames and passwords, the aim is to try them until finding a combination that works. Often, the process is automated with password spraying tools. Cybercriminals try one password for numerous usernames, and then repeat the process with the next password on the list, to avoid falling foul of lockout policies or IP address blockers which restrict login attempts.
Password spraying attacks typically cause frequent, failed authentication attempts across multiple accounts. Organisations can detect password spraying activity by reviewing authentication logs for system and application login failures of valid accounts.
Overall, the main signs of a password spraying attack are:
Organisations can protect themselves from password spraying attacks by following these precautions:
By enforcing the use of strong passwords, IT teams can minimise the risk of password spraying attacks.
Setting a suitable threshold for the lockout policy at domain level defends against password spraying. The threshold needs to strike a balance between being low enough to prevent attackers from making multiple authentication attempts within the lockout period, but not so low that legitimate users are locked out of their accounts for simple errors. There should also be a clear process for unlocking and resetting verified account users.
The cornerstone of the zero trust approach is providing access to only what is required at any given time to complete the task at hand. Implementing zero trust within an organisation is a key contribution towards network security.
Avoiding selecting obvious usernames like john.doe or jdoe – which are the most common methods for usernames – for anything other than email. Separate non-standard logins for single sign on accounts is one way to evade attackers.
To prevent attackers from exploiting the potential weaknesses of alphanumeric passwords, some organisations require a biometric login. Without the person present, the attacker can’t log in.
Make sure any security measures in place can quickly identify suspicious login patterns, such as a large volume of accounts attempting to log in simultaneously.
Passwords are intended to protect sensitive information from criminals. However, the average user today has so many passwords that it can be difficult to keep track of them all – particularly as each set of credentials is supposed to be unique.
To try to keep track, some users make the mistake of using obvious or easy-to-guess passwords, and often use the same password across multiple accounts. These are precisely the type of passwords that are vulnerable to password spraying attacks.
Attacker capabilities and tools have evolved considerably in recent years. Computers are much faster today at guessing passwords. Attackers use automation to attack password databases or online accounts. They have mastered specific techniques and strategies that yield more success.
For individual users, using a password manager, such as N-Able PassPortal, can help. Password managers combine complexity and length to offer up hard-to-crack passwords. They also eliminate the burden of having to remember different login details and moreover, a password manager will help to check whether there is a repetition of passwords for different services. They are a practical solution for individuals to generate, manage, and store their unique credentials.
If you're unsure of your IT requirements, or how to upgrade your existing system, book in for a free IT health check. We'll assess all of your systems and plans and come up with a solution for your individual IT needs.