A Password Spraying Attack is the attempt to gain unauthorized access to a system or user accounts by trying a few commonly used passwords against many usernames or email addresses.
In a more sophisticated version, not random passwords are used but specifically passwords that were used on other – maybe less protected and hence more hackable – accounts, often stemming from lists of breached passwords that can be obtained for little money on the dark web. Often, variations of such passwords including substitutions of letter and numbers are also tried. This is the reason why in most organizations it is expressly forbidden to use the same (or similar) passwords on multiple services.
Password spraying attacks are dangerous as they are often not easy to detect. While a standard brute force attack is very obvious and may trigger account lock-out mechanisms, if available, a spraying attack may remain unnoticed in the noise.
As so often, only a combination of measures can reliably protect against password spraying. Common measures are:
- setting strong passwords,
- implementing a lockout functions in the IAM solution,
- using a multi-factor authentication (MFA) system, in most cases translated as a two-factor authentication (2FA) as two factors are used,
- technical and organizational measures preventing the use of the same or similar passwords on multiple services,
- configuring the IAM or access management system in a way that does check for – and prevent – the use of breached passwords.