Skip to main content

Back to Blog

Password Spraying: How Common Passwords Threaten Your Organization

When hackers target your organization with a password spraying attack, hackers are betting that one (or more) of your employees is logging in with a commonly used password. Threat actors adopt this attack method because it can be done slowly enough to avoid account lockouts. This is just one type of password attack that could hit your organization, and cyber attacks like this are on the rise. Since remote work has increased exponentially during the pandemic, cybercriminals are more active than ever before. Shoring up your cybersecurity processes and procedures will be essential to protecting against account takeovers in the coming years. Luckily, there are a few simple, proactive steps you can take to mitigate password spray attacks and other credential-based attacks to protect your client and employee accounts from these nefarious actors.

A Low and Slow Brute Force Attack

There are two types of targets in password-based attacks – a one-off, higher-value individual whose accounts will enable top-level access and lower-level volume accounts that could be used to gain a foothold in an organization. Direct brute force attacks usually target the former, higher-level usernames. Hackers attempt to gain access by firing off millions of passwords at a single account. Password spray attacks, on the other hand, take the opposite approach. They rely on trying a few commonly used passwords against a large number of accounts. Threat actors “spray” thousands, potentially millions, of usernames with a familiar, easy-to-guess password with the assumption that there is likely at least one person with that password within a large group of people. Unfortunately, these attackers are usually not wrong. A research study conducted by the National Cyber Security Centre revealed that 75% of participants’ organizations had accounts using a password from the top 1,000 list, and 87% has passwords in the top 10,000.

Password spraying is also alarmingly effective because it performs the number of guesses slowly enough to remain below the lockout threshold found on most account logins. For this reason, they are considered a low and slow brute force attack. Threat actors can employ password spray attacks against both kinds of targets, high-profile individuals and volume accounts.

How the Pandemic Has Accelerated Targeted Attacks

Cybercriminals have successfully deployed password spray attacks to gain unauthorized access to some of the world’s largest companies. In 2019, Citrix revealed that international cybercriminals cracked their internal network via compromised users and lurked, undetected, for six months. How did they get into their systems? A password spray campaign.

In May last year, a joint report filed by the National Cyber Security Centre and the U.S. Cybersecurity and Infrastructure Security Agency warned that experts are expecting a surge of password spraying attacks against healthcare organizations involved in the pandemic response.

The pandemic has changed how many of us connect to our work. Today, more workers are logging into company systems from their homes, and the shift towards remote working is unlikely to reverse. Password reuse and poor cybersecurity practices at home will make it easier for criminals to utilize password spraying attacks in 2021. According to McAfee’s 2021 Threat Predictions Report, there’s been a 50% increase in enterprise cloud use during the first four months of 2020. This corresponds to a surge in attacks on cloud accounts, a 630% increase overall. Proper password security will be crucial as more individuals login via remote, cloud-based applications.

How to Protect Your Business from Password Spray Attacks (and other credential-based attacks)

A healthy cybersecurity strategy requires a comprehensive and proactive approach that not only protects against password spray attacks but the full range of possible password-based intrusion. When the security of your business, your employees, and your clients are at stake, you want to take every possible precaution against fraudulent activities and data breaches.

  • Compliance with NIST Standards
    The new NIST guidelines for proactive password policies encourage screening for commonly used and compromised passwords to prevent people from selecting these easy-to-guess passwords. Keeping an up-to-date blacklist of passwords helps to weed out any commonplace passwords that hackers are likely to try in a volume attack. Even previously “strong” passwords could be compromised if bad actors have discovered them in a different data breach.
  • Multi-Factor Authentication (MFA)
    It may seem like extra work, but utilizing multiple multi-factor authentication (MFA) layers is well worth the effort. By requiring additional measures to access an account, MFA technology minimizes the risk that a hacker will be able to use a password spraying attack successfully. Though MFA is not a substitute for a strong password policy, the added layers of security help tremendously in the fight against password attacks. You can deploy many different types of MFA, from biometrics to push notifications. Find the right combination of layers for your cybersecurity strategy to maximize protection.
  • Strong Passwords
    One of the best ways to prevent a successful password spraying attack is, of course, to have strong passwords that hackers aren’t guessing in the first place. But what defines a “strong” password has changed a lot over time. NIST revised the guidelines in 2017 to move away from the stringent requirements involving a number, an upper-case letter, a lower-case letter, etc. Research showed that humans have trouble memorizing them, leading to less password variance, not more.

There are multiple types of password-based attacks that hackers can use to get into your system. Find a solution that addresses all the vectors of attack to truly safeguard your password layer. The safest way to be sure your passwords are strong and secure is to monitor them against password blacklists, including regionalized and business-specific lists. Continuous monitoring against common and previously breached passwords, along with regular auditing against a continuously updated database, is a simple, straightforward solution that makes maintaining proactive password security much more manageable.