Password spraying attacks belong to the group of brute force attacks, but differ significantly in how the attackers proceed. While attackers in a brute force attack generally focus on one user account and try out any number of passwords, a password spraying attack is carried out on countless user accounts simultaneously using one or a few passwords.
What is a Password Spraying Attack?
Despite numerous warnings, reminders, and successful hacks that have been widely reported in the media, many users continue to use weak passwords for their login details and often reuse them for multiple accounts. As hackers know about this fact, they use it to their advantage.
In a password spraying attack, attackers use a few selected weak but frequently used passwords (such as Password123) and “spray” them across a large number of user accounts. Hence the term password spraying.
If you spray such a password across several thousand, millions, or even billions of user accounts, there is a high probability that some users will have used exactly this password and that the attacker will be able to successfully access and compromise these accounts.
Hackers automate their “spray operations” and regularly use tools or their own scripts to help them carry out as many operations as possible per unit of time.
The attacks do not usually target specific victims, as probability theory is used to attack a large number of user accounts at random. However, if an attack successfully compromises accounts belonging to certain professional groups, such as administrators or the top management of companies or firms, this is particularly interesting for hackers. If these compromised company accounts function as quasi “master access” via single sign-on (SSO) without MFA/2FA, attackers have a veritable paradise of opportunities before them.
How Does a Password Spraying Attack Work?
The origin of every password spraying attack lies in the procurement of a sufficient number (usually thousands or millions) of user names in the form of e-mail addresses. These are either purchased on the darknet or the attackers create the lists themselves. Since many companies use a standardized format for e-mail addresses, such as firstname.lastname@company.com, creating such lists is usually easier than one might think. Special tools can then be used to verify the accuracy of these e-mail addresses. Some companies make it even easier for hackers by displaying personal e-mail addresses directly on their website.
After having collected a large number of e-mail addresses, attackers choose a few popular passwords to be tested in password spraying attacks. To do this, lists of the most commonly used passwords, which are very easy to find on the internet (e.g., in annual security studies), are used regularly. If the attacker has a specific user group in mind, regional characteristics or user group-specific features such as landmarks, sports clubs, dog names, etc. can also be used when selecting passwords.
Once the lists of e-mail addresses and passwords are complete, the goal is to find as many working combinations as possible for each target (e.g., app, webpage, portal, company server). Attackers usually use special tools for this and start by spraying the first password across all e-mail addresses. To avoid triggering security mechanisms such as lockout functionality, they wait a few minutes to hours before spraying (testing) the next password across the target accounts.
Due to the large number of attacks launched using this method, attackers are often successful, at least for individual accounts. Due to weak and often-used passwords, they can gain access to hundreds of users. If one of these accounts belongs to an administrator, this can have serious consequences for the compromised user account and the company behind it.
How Can Password Spraying Attacks be Detected and Prevented?
In a password spraying attack, hackers spray a series of passwords across a large number of user accounts but only one password at a time. Many of these login attempts are unsuccessful if users use strong passwords. Even if incorrect access at the user account level is not unusual in itself, an unusually high number of unsuccessful user access attempts across all user accounts can be a warning sign. The same applies if there are many login attempts for unknown or inactive accounts.
With appropriate logs, such activities can be detected and countermeasures initiated, such as prompting users with weak passwords to change their passwords. In this context, it is important to use password policies for strong passwords and to automatically check these criteria during the password setting process (password strength checker). Alternatively, passwordless authentication solutions such as biometrics or magic links can be used. Admin accounts or accounts with extensive rights should also always be secured with two-factor authentication.