What Is Password Spraying and How to Protect Your Passwords Against It?
When we're talking about the security of our accounts, we usually talk about passwords because people often assume that if your password is compromised, your account is compromised. That's not completely true, though. Even if they do have the password, the hackers can't break in without the other piece of information that you enter on most login forms – the username. People simply don't realize how important the username is. Hackers, however, do. That's how they came up with an attack called password spraying.
Usually, when crooks want to compromise an account, they take the username (which is often our email address) and try it in combination with many different passwords. They use automated tools that rely either on long lists of common passwords or on an algorithm that mixes characters at random. This is the typical brute-force attack in which the criminals have already identified the user, and they just need to find the password.
In a password spraying attack, it's the other way around. They know (or rather, assume) that at least one user has used a given password. They just need to find out who that person is. To do that, they need two lists – one with passwords and one with usernames. The list of passwords is much shorter than it would be in a traditional brute-force effort, and the entries in it must be relevant (for example, if they're mounting an attack on Amazon users, the hackers would make sure that "amazon" is somewhere near the top of the password list). As for the usernames, the way they are gathered depends on the target.
The crooks take the first password on the list (e.g., "amazon") and try it in combination with all the different usernames. Then, they take the second password and do the same, and so on. Depending on the target, the goal is to either compromise as many users as possible or to break into one account which would give crooks the opportunity to further infiltrate the system.
When do hackers use password spraying?
In fairness, while you definitely must not use "amazon" as the password for your Amazon account, we should probably note that a password spraying attack on a big online platform is not very likely. It is true that many people use atrociously simple passwords, but there's little point in taking one of those passwords and then trying it out with millions upon millions of email addresses.
It's much easier to take a database that's been leaked during a data breach incident and try out a credential stuffing attack, for example. Even if you don't have a leaked data dump, the nearly unlimited number of possible usernames makes guessing the password a far more practical approach.
In an enterprise environment, however, things are much different. Usually, at an organization, there's a limited number of failed login attempts for every account, which means that hackers can't try out one email address with tens of thousands of different passwords in the hope of guessing the right combination. The lockout mechanism will likely kick in long before they manage to find a match.
At the same time, in a company, there is a certain (not very big) number of employees, hence, not that many possible usernames. Often, obtaining them is as simple as opening the About Us page. And as for the password, since they know who they're trying to compromise, the hackers can make a more educated guess. For example, if they're attacking Nike, they're much more likely to include "just-do-it!" in their password list rather than "adidas-rocks!", for example.
Suddenly, a password spraying attack starts to make much more sense, and protecting yourself and your company from it becomes a necessity.
Preventing a successful password spraying attack
In March, Microsoft, the developers of Azure AD, an identity management system used by many enterprises saw an uptick in the number of password spraying attacks, and they put together a list of tips that are supposed to help sysadmins fortify their enterprises' systems and prevent intrusion.
As you might have guessed already, there are many things you can do to prevent a password spraying attack – limiting access from outside the office, locking out IPs that make too many failed login attempts, hiring a penetration testing team to assess the state of your company's IT infrastructure, etc. There are a couple of simpler steps that can do the job, though – implementing multi-factor authentication for all users and employing more complex passwords.
You shouldn't forget that a password spraying attack still relies on guessing a password that was created by a human being. Human beings, as we've established in many other articles, aren't terribly good at creating hard-to-guess passwords. Ban obvious and simple passwords and, ideally, force users to use a password manager that will not only create complex passwords but will also store them.
Multi-factor authentication is the other simple mechanism that can stop a password spraying attack in its tracks. Even with the correct username and password combination, hackers can't break in if an additional piece of information is required. Good identity management systems have different multi-factor authentication mechanisms. All sysadmins need to do is check them out and see which one suits their needs the best.
Password spraying might seem like a lot of work, but you mustn't forget that we're talking about an enterprise environment where compromising a single account sometimes gives hackers the ability to move throughout the system. That's why, the threat shouldn't be underestimated, and the necessary precautions should be put in place.