Password spraying is an attack method where a malicious actor attempts to log into several user accounts using commonly used passwords. The attacker will usually target a large number of usernames and try a single password on all of them before moving to the next password and so on. This is usually a slower process and difficult to suspect, unlike the traditional brute-force attacks which involve targeting a single account and trying to access it using several guessed passwords.
Modern security measures in many applications have account lockout policies that block accounts once attempted logins reach a certain limit within a set period. As such, several failed brute-force attempted logins usually results in account lockouts. However, for password-spray or low and slow attack, the malicious actor first attempts to access many accounts using a single but commonly used password such as 123456, then moves to the second password, third, and so on.
Passwords spraying success rates
Password spraying has high success rates since most people rely on very simple passwords. Usually, the commons passwords are one of the vulnerabilities in cybersecurity today hence the reason why most passwords spraying attacks are successful. This is not surprising, given that there are very many users with common passwords. For example, in 2017, research by the National Cyber Security Center established that passwords for the many accounts in about 75% of UK based organizations were featured in the common 1000 passwords list. Further, 87% had passwords in the top 10000 list.
Usually, all that the attackers need is a list of the common passwords, which are easy to obtain from the many previous password leaks.
Another reason for high success rates is the fact that this kind of attack remains undetected due to its low and slow approach. Since the process is slow and targets a large number of accounts, it does not have the rapid signs of brute-force attacks and is therefore difficult to detect, and may not easily trigger an account lockout.
Password spray targets
The password spray attacks usually target cloud-based applications that rely on federated authentication protocols, email applications as well as single sign-on (SSO) applications. Usually, by targeting the federated authentication, the attackers can mask the malicious traffic.
Impact of password spraying
Just like any other form of attack, a hacker who succeeds in gaining unauthorized access through the password spraying method may cause a lot of damage to the organization and individual. Once the criminals log into the systems, they can steal private, sensitive business information that they can use to blackmail the owner or sell to competitors.
Gaining access with privileged access such as for an administrator is even worse since the attacker can even alter so many files; delete them or lookout the users and customers. As such, businesses, admins, and users should try their best and avoid such kind of attacks.
Protecting accounts from password spraying
The best way to protect accounts from password spraying is by using strong authentication methods. Ideally, this should include enforcing strong passwords and policies, multifactor authentication, and other modern techniques such as password-less access.
Also, the security teams should regularly scan the environments and accounts to check for weak, vulnerable, and common passwords based on lists obtained from previous leaks and breaches. There are various tools that organizations can use to identify vulnerable accounts and hence enable them to advise/force users to change to stronger and secure passwords.