What is Password Spraying?

What is password spraying? Password spraying is a commonly used brute force method for gaining access to accounts. Here we explain what it is and how to thwart it.

What is a Brute Force Attack?

A brute force attack is a trial-and-error method of gaining access to an account when the password for the account is not known. In an attack, many different passwords are tried for a specific account in the hope of guessing the correct password. If the correct username is known, it is only a matter of time before the correct password will be guessed. The time taken for such an attack could be a matter of seconds or several years.

Modern graphics processing units (GPUs) make it possible to guess weak passwords incredibly quickly. For instance, a password consisting of just 6 characters, no matter how random that password is, could be cracked instantly, and all possible 8-character passwords would take less than an hour in the absence of any lockout policies that only permit a certain number of failed attempts before the account is locked.

What is Password Spraying?

Password spraying is a type of brute force attack that takes advantage of poor password practices. Password spraying is the name given to a brute force attack where the attacker attempts to access large numbers of accounts using a limited number of commonly used passwords, as opposed to a standard brute force attack that is focused on one account using all possible password combinations.

With password spraying, the usernames are brute-forced but the password remains constant. Companies will have a set format for their corporate email accounts, which is easy to find out, and information about employees at a company is often in the public domain, so obtaining the right email addresses is straightforward.

This approach can get around the account lockout policies that are now commonly used to protect accounts from brute force attacks. In a password spraying attack on a company with 1,000 employees, a single attempt could be made to access all company accounts using the password 12345678. Then a second attempt will be made using Password1!. This low-and-slow approach avoids account lockouts and can be hard to detect. It relies on users setting easy-to-remember passwords – a practice that is very common.

How to Reduce Risk?

There are several ways that businesses can improve resilience to password spraying attacks. The most effective way is not to use passwords, and instead to use a different form of authentication. While passwordless authentication is becoming more common, for many businesses it is currently not practical or affordable to implement passwordless authentication.

Account lockout policies should be set for both the username and password field, and if that is not possible, use CAPTCHA. Multifactor authentication should also be set up, which requires a second factor to be provided in addition to a password before account access will be granted. It is also important for admins to remove accounts that are no longer in use, and accounts initially set up with a default password should require users to change their password on first login.

Ultimately, the reason password spraying attacks succeed is because users often set weak passwords. One of the easiest and lowest cost solutions is to implement and enforce a password policy that requires strong passwords to be set for accounts and to provide all employees with a password manager. Password managers have secure password generators that allow users to generate strong, unique passwords for all accounts that will be resistant to password spraying and other brute force attacks. To better protect against brute force attacks, Bitwarden has also recently introduced a new feature for generating unique usernames in addition to the strong password generator.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news