Password Spraying Attack
What is a Password Spraying Attack?
A password spraying attack is a type of brute force attack where a hacker, much like the name implies, “sprays” an authentication server with combinations of usernames and common passwords. Attackers often run through lists of commonly used passwords available on the web. The unique nature of this attack allows hackers to skirt by what are otherwise successful modern security measures.
These types of attacks are common against organizations where usernames are easy to guess ([email protected]). Attackers also typically go after organizations that use Single Sign-Ons (SSO), because it stores highly sensitive data and intellectual property. Also, since SSO is intended to make access to a variety of resources easier, the attacker can view more information across all aspects of the organization and wreak more havoc.
How a Password Spraying Attack Works
An attacker planning to launch a password spraying attack must do some research first. An organization is selected that uses an easily-guessed username convention or they can buy usernames for sale on the dark web. The attacker doesn’t want to get blocked for spamming the server with accounts that don’t exist.
The attacker uses a program that attempts to login into the accounts using commonly used passwords. To avoid being detected:
- The hacker runs through the list of all the usernames with one password
- If there is no success hacking into an account with that username and password combination, they will move onto the next password on their list
- They will continue this process until they gain access
This method prevents a hacker from getting locked out after using the same username multiple times in a row.
Once they find a compromised account, the hope is that the account has access to what the attacker might be looking to steal or has enough permissions to further weaken the organization’s security measures to gain access to even more sensitive data.
Examples of Password Spraying Attacks
Some common real-world examples of these types of attacks are:
- While IT took measures to secure the company network, they assigned usernames following a similar convention (i.e., jsmith, ngrace, etc.). An attacker picks up on this and obtains a database of known employees. Using this and a password spraying attack, the attacker can compromise several accounts.
- An attacker aims to compromise the account of an executive to peer through their emails to find sensitive data. A password spraying attack is a common vector against IMAP servers, which often don’t have the same security and protection level as web-based applications.
How to Protect Against a Password Spraying Attack
Protecting yourself from password spraying attacks is relatively straightforward if you follow these guidelines:
- Eliminate passwords: The ONLY way to ensure that you cannot be a victim of password spraying is to eliminate passwords altogether. Learn more about passwordless authentication today and keep your most critical applications secure.
- Use biometrics: To prevent attackers from using the inherent weaknesses of alphanumeric passwords, require a biometric login. Without the person present, the attacker won’t be able to log in.
- Watch for patterns: Make sure any security measures in place can quickly detect suspicious login patterns, in this case, where a large number of accounts attempt to log in simultaneously.
- Implement zero trust policies: Give access to only what is required at any given time to complete the task at hand. Implementing zero trust in your organization is a great first step towards overall network security.
- Set lockouts to occur quickly: Set account lockouts to occur after successive failed login attempts no matter when they happen, not just in a set period of time. Also, set a low number, three or less. While it may lead to some frustration at times, it lowers your overall security risk.
- Use a non-standard username convention: Avoiding the trap of selecting usernames like john.smith or jsmith, which are the most common methods for usernames for anything other than e-mail. Separate non-standard logins for SSO accounts is one way to fool attackers.