Password spraying is a type of brute force attack which involves a malicious actor attempting to use the same password on multiple accounts before moving on to try another one. Password spraying attacks are often effective because many users use simple and easy-to-guess passwords, such as “password” or “123456” and so on.
In many organizations, users are locked out after a certain number of failed login attempts. Because password spraying attacks involve trying one password against multiple accounts, they avoid the account lockouts that typically occur when brute forcing a single account with numerous passwords.
A particular feature of password spraying – as the word ‘spraying’ implies – is that it can target thousands or even millions of different users at once, rather than just one account. The process is often automated and can take place over time to evade detection.
Password spraying attacks often take place where the application or admin within a particular organization sets a default password for new users. Single sign-on and cloud-based platforms can also prove particularly vulnerable.
While password spraying might seem simplistic compared to other types of cyber attacks, even sophisticated cybercrime groups use it. For example, in 2022, the US Cybersecurity & Infrastructure Security Agency (CISA) issued an alert about state-sponsored cyber actors, listing various tactics they use to gain access to targeted networks – and password spraying was included.
Password spraying attacks typically involve these stages:
Step 1: Cybercriminals buy a list of usernames or create their own list
To initiate a password spraying attack, cybercriminals often start by buying lists of usernames – lists which have been stolen from various organizations. It’s estimated that there are over 15 billion credentials for sale on the dark web.
Alternatively, cybercriminals may create their own list by following the formats that corporate email addresses follow – for example, email@example.com – and using a list of employees obtained from LinkedIn or other public information sources.
Cybercriminals sometimes target specific groups of employees—finance, administrators, or the C-suite – since targeted approaches can yield better results. They often target companies or departments using single sign-on (SSO) or federated authentication protocols – that is, the ability to log in to Facebook with your Google credentials, for example – or that have not implemented multi-factor authentication.
Step 2: Cybercriminals obtain a list of common passwords
Password spraying attacks incorporate lists of common or default passwords. It’s relatively straightforward to find out what the most common passwords are – various reports or studies publish them each year, and Wikipedia even has a page which lists the most common 10,000 passwords. Cybercriminals may also do their own research to guess passwords – for example, by using the name of sports teams or prominent landmarks local to a targeted organization.
Step 3: Cybercriminals try out different username/password combinations
Once the cybercriminal has a list of usernames and passwords, the aim is to try them until finding a combination that works. Often, the process is automated with password spraying tools. Cybercriminals use one password for numerous usernames, and then repeat the process with the next password on the list, to avoid falling foul of lockout policies or IP address blockers which restrict login attempts.
Once an attacker accesses an account via a password spray attack, they will be hoping that it contains information valuable enough to steal or has sufficient permissions to further weaken the organization’s security measures to gain access to even more sensitive data.
Password spraying attacks, if successful, can cause significant damage to organizations. For example, an attacker using apparently legitimate credentials can access financial accounts to make fraudulent purchases. If undetected, this can become a financial burden on the affected business. Recovery time from a cyberattack can take up to a few months or more.
As well as impacting an organization’s finances, password spraying can significantly slow down or disrupt daily operations. Malicious companywide emails can reduce productivity. A business account takeover by the attacker could steal private information, cancel purchases, or change the delivery date for services.
And then there is reputational damage – if a business is breached in this way, customers are less likely to trust that their data is safe with that company. They may take their business elsewhere, causing additional harm.
"I was asked to change my password when my bank was targeted by a password spraying attack. Malicious actors were able to try millions of username and password combinations against the bank's customers - and unfortunately, I was one of them."
A password spraying attack attempts to access a large volume of accounts with a few commonly used passwords. By contrast, brute force attacks attempt to gain unauthorized access to a single account by guessing the password – often using large lists of potential passwords.
In other words, brute force attacks involve many passwords for each username. Password spraying involves many usernames to one password. They are different ways of performing authentication attacks.
Password spraying attacks typically cause frequent, failed authentication attempts across multiple accounts. Organizations can detect password spraying activity by reviewing authentication logs for system and application login failures of valid accounts.
Overall, the main signs of a password spraying attack are:
Organizations can protect themselves from password spraying attacks by following these precautions:
Implement a strong password policy
By enforcing the use of strong passwords, IT teams can minimize the risk of password spraying attacks. You can read about how to create a strong password here.
Set up login detection
IT teams should also implement detection for login attempts to multiple accounts that occur from a single host within a short time period – as this is a clear indicator of password spraying attempts.
Ensuring strong lockout policies
Setting a suitable threshold for the lockout policy at domain level defends against password spraying. The threshold needs to strike a balance between being low enough to prevent attackers from making multiple authentication attempts within the lockout period, but not so low that legitimate users are locked out of their accounts for simple errors. There should also be a clear process for unlocking and resetting verified account users.
Adopt a zero trust approach
A cornerstone of the zero trust approach is providing access to only what is required at any given time to complete the task at hand. Implementing zero trust within an organization is a key contribution towards network security.
Use a non-standard username convention
Avoiding selecting obvious usernames like john.doe or jdoe – which are the most common methods for usernames – for anything other than email. Separate non-standard logins for single sign on accounts is one way to evade attackers.
To prevent attackers from exploiting the potential weaknesses of alphanumeric passwords, some organizations require a biometric login. Without the person present, the attacker can’t log in.
Look out for patterns
Make sure any security measures in place can quickly identify suspicious login patterns, such as a large volume of accounts attempting to log in simultaneously.
Passwords are intended to protect sensitive information from bad actors. However, the average user today has so many passwords that it can be difficult to keep track of them all – particularly as each set of credentials is supposed to be unique.
To try to keep track, some users make the mistake of using obvious or easy-to-guess passwords, and often use the same password across multiple accounts. These are precisely the type of passwords that are vulnerable to password spraying attacks.
Attacker capabilities and tools have evolved considerably in recent years. Computers are much faster today at guessing passwords. Attackers use automation to attack password databases or online accounts. They have mastered specific techniques and strategies that yield more success.
For individual users, using a password manager, such as Kaspersky Password Manager, can help. Password managers combine complexity and length to offer up hard-to-crack passwords. They also eliminate the burden of having to remember different login details and moreover, a password manager will help to check whether there is a repetition of passwords for different services. They are a practical solution for individuals to generate, manage, and store their unique credentials.