What is password spraying?

Password spraying is an attack where the cybercriminal attempts to gain access into a business’s systems by testing out a small amount of frequently used passwords on numerous accounts. They assume that there’s likely to be at least one using a familiar password within a large group of people.

This is a slower approach than ‘blasting’, which is trying multiple passwords to get into one account. However, password spraying allows the hacker to gain access to numerous accounts without getting locked out. Meaning they are making the attempts, and you wouldn’t be alerted as to what is happening.

How does it affect businesses?

Cybercriminals are very clever and can quickly gain information about you, your company, and your employees by searching online. They can find information out from your website, company, and personal social media profiles. Hackers can see your employees and then attempt to find a username to hack into your accounts. The likelihood is that if one employee has the format of firstname.lastname@company.com, so will the rest of the employees. Therefore, it is imperative to keep your social media profiles private, change your privacy settings so that not everyone can see your information and be cautious of requests to connect with users you do not know.

How do they do it?

Step 1: Acquire a list of usernames
They will start with a list of accounts. The majority of businesses will have a formal convention for emails. This enables the hacker to build usernames from a list of employees. They may also find or buy usernames online due to data compiled from past security breaches.

Step 2: Spray passwords
Finding a list of common passwords used is even more straightforward for the hacker. A Google search reveals that publications list the most common passwords each year. It’s no surprise that 123456, password and qwerty are at the top of the list. Even though you may not use these passwords, you likely use a favourite sports team or the city you are from as a password.

Hackers will do their research and carefully select passwords out of the information they have found out about you, e.g., where you work, company name etc. Once they have a password, they will try it against the entire list of accounts; if the attack is unsuccessful, they will wait 30 minutes and try again with a new password.

Step 3: Gain access
Once one of the passwords gains the hacker access to one of the accounts, they will use the formula across the list of usernames. This is what makes password spray a popular method; they only need one successful password and username. Once into the victim’s accounts, they can access everything, emails, OneDrive etc. They could even use the account to investigate the network further to get deeper into the systems.
You may find (and hope) that most of your employees are not using popular passwords and have created strong passwords. However, hackers will find the ones that haven’t.

How to prevent it

The easiest way to prevent password spraying is by using an authentication solution that does not need a password as the first factor of authentication.

  • Enable and properly configure multi-factor authentication (MFA)
  • Enforce the use of strong passwords
  • Regularly review your password management program
  • Maintain a regular security awareness training for all employees
  • Ensure your Help Desk has well-documented procedures for password resets for user lockouts

If you need any help, please contact SCS Technology Solutions.