Email Security

    Password Spraying: How to Spot and Avoid These Attacks

    Password spraying is an attack that attempts to access numerous accounts with a few commonly used passwords. Here’s how you can detect and prevent spraying attacks.

    by Mercedes Cardona

    Key Points

    • Password spraying attacks exploit employees with weak cyber hygiene.
    • This crude form of attack is alive and well in 2022.
    • Ultimately, going “passwordless” may be your best defense.

    The humble password turned 60 in 2021, but it’s nowhere near retirement. In fact, it’s still the source of many headaches. One of them, password spraying, has become such a common threat that the Department of Homeland Security issued a warning, encouraging systems administrators to be wary.[i] Microsoft has reported that password spraying accounts for up to a third of account compromise in organizations.[ii]

    What is password spraying? Simply put, it’s like when a burglar rings all the bells in a building’s intercom until someone lets him in, then breaks into an apartment. Fraudsters use a list of common passwords — such as “Pswd123,” for those who never bothered to come up with a new one when joining an organization — often using bots to automate the repetitive process of breaking in. 

    Password spraying is one type of “brute force” attack. Among other types are those that use social engineering techniques and automation to guess at likely character combinations and barrage one or a few accounts. There’s also “credential stuffing,” which uses stolen passwords from the breach of one site and submits them to dozens or hundreds of other sites.

    Password spraying counts on users who don’t bother to practice good password hygiene — indeed, recent research showed that only 15% of passwords are unique.[iii] Password spraying attacks work with a list of usernames — or a list of email addresses — lobbing in weak passwords like “111111” or “qwerty” to get through sign-on.

    How Do Password Spraying Attacks Work? 

    Since organizations have mounted defenses against brute force attacks by locking out users after a number of failed guesses, the bad guys have changed tactics. Like the burglar, they don’t want repeated attempts to get into the building — or in this case, the network — to trip any alarms. 

    Rather than try multiple passwords on one account, spraying attacks target single sign-on services and other cloud-based identity platforms by “spraying” one possible password at a time across all the users, to avoid the automatic lock-out defense. Once fraudsters breach one user’s authentication, it’s a matter of moving across the network to steal data or plant malware. 

    How to Detect a Password Spraying Attack 

    Password spraying doesn’t require much skill, so detecting a password spraying attack is not that difficult. Security teams can spot them thanks to a few telltale signs, usually involving a high volume of login activity. A spike in failed login attempts by active users, or in logins from inactive or non-existing accounts, can be a sign of a password spraying attack.

    Three Steps to Take if You Suspect a Password Spraying Attack    

    Once a password spraying attack is launched, it moves quickly, so a quick reaction is key to heading off the attackers and minimizing their damage. 

    • Change all admin passwords: Merely getting into an account is not the end goal for fraudsters, who intend to break into databases and other network assets, so keeping them off your most privileged administrative accounts is a top priority.
    • Check your login settings: If your organization uses a login platform such as a single sign-on (SSO) identity access management (IAM) tool, make sure the settings are configured to detect failed logins across multiple resources. This extra visibility will help threat response.
    • Activate your threat response plan: All organizations today depend on digital systems to operate, so they should have an established cyberattack response plan. This should include data backups and incident response communication chains to maintain operations and speed response times. These plans should be audited and updated regularly.

    How to Prevent Password Spraying 

    Administrators can improve their reaction by setting up monitoring that will flag any anomalously high volume of login attempts, so they may go on alert as soon as a potential attack in progress is detected. But since password spraying attacks are both common and fast-moving, the best defense is a good offense. Avoid becoming prey by adopting a few best practices to prevent password spraying. 

    Some proactive actions to reduce the risk of password spraying: 

    • Leverage multifactor authentication (MFA) for all users: Requiring a one-time security code or another factor to validate a user can short-circuit password spraying attacks.
    • Improve security awareness: Schedule regular security awareness training sessions to share information on active threats and impress on the staff the importance of password security. Encourage users to adopt password vaults and other tools that generate and store strong, unique passwords.
    • Review your organization’s password management regularly: No one should be using “password123” or using the same password for years. Enforce the use of strong passwords and regular password replacement. Consider establishing a blacklist of common passwords that people in your business may be tempted to use. For instance, “marketing” should not be used as a password by your marketing staff.
    • Establish and enforce a lock-out policy: Make password change compulsory after an account lockout. Train your help desk to unlock user accounts, while validating the users but minimizing their inconvenience, and review those procedures regularly to keep up with threats.
      Run penetration testing: Live testing your login security can give better visibility to back doors and vulnerabilities in the organization’s login process, preferably before a password spraying attack.
    • Go passwordless: The password has already reached retirement age, and with the availability of technologies such as smartphones and biometrics, it’s old-school security. Identity validation using voice-activated access or facial recognition on smartphones is much harder for fraudsters to breach.

    The Bottom Line

    Password spraying attacks are an ongoing threat. As long as organizations continue to rely on users remembering a password to log in, these credentials will continue to be a weak link in network security. Early detection and quick reaction are key to fighting off password spraying attacks, so a well-thought-out password policy and strong enforcement can help cut off password spraying and keep fraudsters out. But the proactive adoption of strong password security management and eventually the elimination of passwords may be the best practices to prevent password spraying in the long run. 



    [i] “ACSC Releases Advisory on Password Spraying Attacks,” Cybersecurity and Infrastructure Security Agency

    [ii]Advancing Password Spray Attack Detection,” Microsoft

    [iii] Most Common Passwords: Latest 2022 Statistics,” CyberNews


    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Haut de la page