identity & security

What Is Password Spraying? How to Stop Password Spraying Attacks

Password spraying attacks can cause major data breaches. Here’s how to prevent them from doing so.

Password spraying is a type of brute-force cyberattack where a cybercriminal tries to guess a known user’s password using a list of common, easy-to-guess passwords such as “123456” or “password.” This process is often automated and occurs slowly over time in order to remain undetected.

Password spraying is a common method that cybercriminals use to gain unauthorized access to computer systems. For example, IBM’s/The Ponemon Institute’s 2020 Cost of a Data Breach Report found that 19% of all data breaches were the result of weak or compromised credentials. Verizon’s 2020 Data Breach Report found that over 80% of all hacking-related breaches involved brute-force methods like password spraying.

Below is everything executives need to know about how to protect their organization from password spraying attacks — how password spraying works, the risks associated with it, and how to eliminate the opportunity for an attack altogether.

How Password Spraying Works

Cybercriminals are able to use password spraying to gain unauthorized access to your systems because people often secure their accounts with obvious passwords (ones that are easy to guess). Here’s how obvious passwords make this possible.

1. Cybercriminals Build or Buy a List of Usernames

There are “over 15 billion credentials for sale on [the] dark web” right now. So to start a password spraying attack, cybercriminals often start by buying a list of usernames stolen from other organizations.

However, quite often, cybercriminals also build their own list using the patterns that company email addresses follow (for example, lastname.firstname@yourcompany.com) along with a list of people who work at that company (from LinkedIn, for example).

2. Cybercriminals Procure a List of Common Passwords

The most common passwords are also easy for malicious actors to find. For example, common password lists are often published in reports or studies each year. Wikipedia also has a page that lists the top 10,000 most common passwords.

Cybercriminals can also build a list of common (but less obvious) passwords with a little bit of extra research. For example, if an organization is located in New York, they could try variations of “Yankees” or “Knicks” or something else New York-related that people often love to use as a password.

3. Cybercriminals Try Username Password Combinations

Once a bad actor has a list of usernames and passwords (U/P), cybercriminals try them together to find a U/P combination that works. They’ll often do this using an automated system that tries one password with every user and then repeats this process with the next password in order to avoid being blocked by account lockout policies or IP address blockers that restrict login attempts.

The Risks Associated with Password Spraying Attacks

The risks associated with a password spraying attack depend on the role of the person within your organization whose account was breached.

If the compromised account belongs to an end user (or multiple), for example, their personal data is at risk of being breached, which could impact them in a variety of ways, depending on what information a bad actor was able to access. But if that account belongs to a system administrator, a cybercriminal could steal business-critical information like the intellectual property that was stolen from Citrix in a password spraying attack.

It may seem unlikely that anyone in your organization would use a password such as “123456” to secure their account. But a 2019 study by the National Cyber Security Centre found that over “23.2 million victim accounts worldwide used 123456 as password.”

Below are several methods you can use to stop password spraying attacks regardless of user behavior, as well as several cybersecurity best practices that will help you reduce the opportunity for (and effects of) a breach.

How To Stop Password Spraying Attacks

Although password spraying attacks are common, they are preventable. The technologies below will eliminate a cybercriminal’s ability to use password spraying to breach the systems of any organization.

Passwordless Authentication

Passwordless authentication eliminates passwords altogether and instead authenticates a user using biometrics, a magic link that verifies ownership of an email account, an SMS message that verifies possession of a device, etc. Some experts believe passwordless authentication is the future of authentication because it eliminates common unsafe password behaviors that create the opportunity for credential-based attacks like password spraying.

Multi-Factor Authentication (MFA)

MFA uses an additional factor of authentication (such as those used in passwordless authentication above) to verify a user’s identity in addition to a username/password (U/P) combination. So even if someone uses an obvious password to secure their account, unauthorized access would be prevented in the event of a password stuffing attack because that cybercriminal would not be able to fake a user’s identity with the second authentication factor.

How to Reduce the Impact of a Password Spraying Attack

The methods above are effective in eliminating cybercriminals’ ability to use password spraying against your organization. However, there are also additional approaches you can take that won’t eliminate the opportunity for password spraying attacks altogether but will reduce it.

Follow NIST Password Guidelines

The National Institute of Standards and Technology (NIST) password guidelines are considered the strongest set of password best practices in the world, and following their recommendations can help reduce the potential for credential-based attacks like password spraying.

One of NIST’s requirements, for example, is that every new user password is checked against a backlist of breached passwords. This helps organizations enforce stronger password policies and reduces the opportunity for other credential-based attacks like credential stuffing.

The NIST guidelines also explain that length is more important than complexity because it’s harder for cybercriminals to crack. So encouraging users to create longer (but easy-to-remember passwords) is better than requiring an increase in password complexity. This also reduces other unsafe password behaviors like password reuse.

Limit Access to Critical Systems

The more people in your organization who have access to sensitive data or systems, the more opportunities a cybercriminal has to gain access to those systems with a password spraying attack. So it is best to regularly review and reduce the number of people who have access to those systems.

Passwords Can be a Vulnerability

A 2020 study by NordPass shows that the average person has 100 passwords to remember. As a result, many people engage in unsafe password behaviors (like using weak passwords or reusing the same password for multiple accounts) to make their lives easier, even though these behaviors put organizations at risk of a data breach.

Password managers can help, but they still require users to adopt a new behavior or spend money to keep an organization safe. Eliminating passwords altogether eliminates the risk of credential-based attacks like password stuffing and creates a better user experience (a competitive advantage for any business).

Auth0 can help your organization implement passwordless authentication quickly and efficiently — learn more about Passwordless here.