While thinking about password spraying, we mostly imagine a hacker trying several hundred passwords on a single account. Although this still happens, it’s not always what happens. In some cases a hacker will perform password spraying instead. Now let’s walk through this and see what password spraying is and what you can do to defend yourself and prevent it.
What Is Password Spraying?
If a “normal” hacking attack involves trying many different passwords on a few accounts, password spraying is the inverse of that. Simply speaking, it means when a hacker has access to a lot of different account names and tries to break into them by only using a few passwords.
Hackers won’t perform the “normal” hacking method if account security is tight. A secure system will notice someone repeatedly trying to access an account and will lock it down to protect the target’s privacy. You may have experienced this yourself when you enter your password into a service incorrectly too many times—it locks you out.
If hackers are only using a small number of passwords per attack, which passwords are they using? The hacker’s best bet is to use some of the most commonly used passwords on the internet. That way, they maximize the chance that they will be able to break in through that small window of opportunity.
Do We Use Weak Passwords?
Actually, this kind of attack depends wholly on someone using a commonly-used password on their account. Nowadays, however, how likely is it that someone will use one of these passwords?
Unfortunately, our password habits haven’t improved much over the years. The NCSC performed a study on willing organizations to test how susceptible they are to a spraying attack. They found that 75% of organizations had at least one account that used a password in the top 1000 passwords, and 87% had at least one account with a password in the top 10,000.
This is the flaw in security that password sprayers aim to exploit. All it takes is for one user in an organization to use a weak password for a spraying attack to work. Once the malicious hackers get into that account, they can use this leverage to go deeper into the system.
How Does It Affect Business?
Hackers gain information about a company and their employees from freely available information published online and via websites as well as company and personal social media accounts. They can identify the people that work within the organisation and if they are able to find one username then the likelihood is that the other user accounts will be of a similar format e.g. firstname.lastname. Hackers will look to use passwords that are used quite often such as “Password123” which many people still, despite warnings use when they are unable to think of a password or just want a quick and easy one.
If the hacker were to gain access to an email account via OWA (Outlook Web Access), where users can access emails via an internet browser rather than using the Outlook application, for example, they would be able to pick up other users’ email addresses from a global address list to try theirs as well. Confidentiality of email communications would be breached and if they also managed to access a company server then they would be able to view private data that could either be sold or used as a bargaining tool to extort a ransom.
Who Is at Risk of a Password Spraying Attack?
Typically, hackers use these attacks on big businesses and organizations. They also use password spraying against users in a database leak, where the hacker has a large number of account names at their disposal but no passwords.
Any situation where a hacker has a wealth of accounts to go through, but only has a limited window to attack each one, is when password spraying becomes the preferred method of attack.
Hackers choose password spraying when accounts have a severe penalty for incorrect entries. If a hacker gains information about a website’s accounts, but the website only allows five password attempts before it locks down the account, a hacker will use the top five most used passwords in hopes that people used them.
Are There Real Cases of Password Spraying?
In an ideal world, everyone within an organization will use a strong password to keep sprayers out. Unfortunately, hackers have had success in the past with the tactic, so much so that Redmond Mag reported on how password spraying saw an uptick of cases in 2018.
A lot of the attacks are focused on businesses, presumably to steal valuable business documents for profit. Organizations may also have a username structure that makes it easy for hackers to collect a list of names to attack.
Threatpost has reported on how software virtualization business Citrix was hit by a spraying attack after one of its accounts was compromised. The hackers made off with valuable business documents through the permissions uncovered in the account they accessed.
The scary part of this attack is how silent it was; due to the “low-down” nature of password spraying, it didn’t trip any alarms or cause any concern. Citrix had no idea the attack had even happened until the FBI informed them long after the attack had come and gone.
How Can a Password Spraying Attack be Recognized and Stopped?
A password spray attack can be flagged up in various ways. Look out for user accounts being locked out consistently. Administrators are able to see the IP addresses that users are logging in from and can check whether these differ from the usual. Accounts can be disabled immediately by administrators if any suspicious anomalies appear.
To prevent a password spraying attempt from being successful we would recommend these basic measures:
- Security policies should include what kind of applications and data can be accessed remotely.
- Implement rules on creating strong passwords that cannot easily be guessed.
- Introduce two-factor authentication to company applications to add an additional layer of security.
Preventing Password Spraying
The solution for preventing password spraying is very clear; You need to use better passwords! Password spraying wholly depends on you using a password that’s within the top 100-or-so list of most used passwords.
By making your password more complicated, you take yourself out of the pool of passwords that a sprayer will use against you. For a start, if your password is one of the worst passwords, be sure to change it immediately!
If you want to dig a little deeper, Password Random has a list of the top 10,000 most used passwords. There is some adult language within these passwords, so be careful where you read it!
How to Create Strong Passwords?
OK, till here you found that what makes a weak password, so what goes into a good one? It would be noteworthy to say that the important problem with passwords is that the more complex they are, the stronger they are; however, the harder they are to remember.
The reason people resort to passwords like “password” or “12345” is that they are easy to remember and type. There are no capital letters or strange symbols in them, but those are what is needed to help beat a password sprayer attack.
But thankfully, there are ways to design a password that is both strong and memorable. If your password hygiene isn’t up to par, be sure to read about how to create a strong password that you won’t forget. Also if you still have problems with remembering the passwords, you can make use of a good password manager.
As it is mentioned above, password spraying is a significant problem for users and businesses who use weak and easily guessable passwords and avoid using strong ones. Sometimes, all it takes is for one account to have a weak password, and hackers can use the leverage to do further damage within the system. Thankfully, by strengthening your passwords and using 2FA, you can defend yourself.
But it should be noted that password spraying is not the only tactic hackers use to invade your security. Be sure to read about the most common tactics used to hack passwords to further tighten your security.