What Is a Password Spraying Attack?
Password spraying is a form of brute-force cyberattack in which threat actors attempt to access large numbers of accounts (usernames) with a few commonly used passwords.
How Is Password Spraying Different From Other Brute–Force Attacks?
Traditional brute-force attacks target a single account with multiple possible passwords. A password spraying campaign targets multiple accounts with one password at a time. This approach keeps the would-be attacker from raising suspicions and getting locked out for making too many failed attempts (typically three to five) within a short period of time.
During a password-spray attack (known as a “low-and-slow” method), the malicious actor often tries a series of commonly used passwords (such as ‘Password1’ or ‘Summer2017’). Hackers may get information about employees from public sources and rely on organizations using the same usernames as in public domains. The hacker will use those usernames combined with frequently used passwords (Password123, date of birth…..) to access business accounts.
Some common tactics for spraying include the following:
- Social engineering: In order to pick a legitimate target (usually an enterprise business or agency), hackers will use personal interactions and phishing emails to find lucrative targets.
- Trying common passwords: Trying common phrases like “password” or different birth date numbers can allow access to accounts where users have not chosen strong passwords.
- Gathering intelligence: Once inside the system, the hacker will attempt to access a user directory and expand the attack list.
- Exfiltration: Hacking programs will then look for connected accounts that serve as a springboard into new systems connected to similar or identical credentials. From there, they look to steal additional credentials and connected data in a process known as “credit stuffing.”
How Does Password Spraying Impact Business?
These attacks are incredibly damaging to SSO and federated authentication systems where a single password grants access to multiple assets or accounts. When that’s the case, a compromised account can lead very quickly to the compromise of multiple systems and business accounts.
What Do Password Spraying Attacks Typically Target?
Campaigns frequently target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols. Targeting federated authentication can help mask malicious traffic while targeting SSO helps maximize access to intellectual property if the attack succeeds. Email applications also make popular targets.
Why Are Password Spraying Attacks (still) So Successful?
It’s hard to believe that this simple method still succeeds against modern cyber defenses. Password spraying relies on the fact that many people don’t change their passwords from defaults provided by a system admin, and that many use–and reuse–common options and easy-to-guess phrases to make remembering passwords easier. Attacks also leverage the fact that many fail to rotate passwords often enough.
Preventing password spraying
The simplest way to prevent password spraying, credential stuffing, and other credential-based attacks is by rolling out a passwordless authentication solution that does not rely on “what users know”—their passwords—as the first factor of authentication.
Passwordless MFA removes vulnerable passwords, taking away one of hackers’ favorite go-to techniques for gaining initial access. Passwordless MFA also represents a huge step forward toward Zero Trust security postures as defined by many industry mandates and standards.