Password Spraying: Strengthening Authentication and User Security
While many online services have upped their game in terms of requiring users to create strong passwords, threat actors frequently hack into accounts using password-based attacks. Password spraying is one such attack that stealthily targets a large pool of users with a select set of commonly used passwords. This article delves deep into the world of password spraying by highlighting its mechanics, citing some examples and status that exemplify the threat, and more importantly, showcasing strategies and tools to strengthen your authentication and user security against this attack.
What is Password Spraying?
Password spraying is a type of cyber attack where an attacker tries a few common passwords (like password123, qwerty, or 111111) against a large number of usernames or accounts. Instead of trying many passwords against one user (which could trigger account lockouts), password spraying relies on trying a few commonly used or carefully selected passwords against many users. Essentially, hackers bet on the likelihood that someone in the large set of target users might be using one of these weak or commonly used passwords.
It’s important not to confuse password spraying with other password-focused account hacking attempts like brute force attacks or credential stuffing.
- In a brute-force attack, the attacker attempts to guess a password by trying every possible combination of characters until they find the one that works.
- Credential stuffing attacks leverage previously leaked usernames and passwords by taking these known credentials and trying them on other websites/services in the hope that someone reuses their credentials across many accounts This reuse is quite a common occurrence, with up to 32 percent of Internet users re-using the same password across 5-10 websites and apps.
In October 2021, Microsoft warned that more than a third of account compromises are the result of password-spraying attacks. In a somewhat ironic turn of events, Microsoft then had to warn users of its Exchange Online service one year later that many users were being successfully targeted by password spraying attacks (the company has switched off basic authentication that only relied on passwords).
The Mechanics of a Password Spraying Attack
Equipped with this high-level info about password spraying, here is a deeper dive into the mechanics of a typical attack.
Identify targets: Any large group of users suffices. Often this could be a company with thousands of employees or a platform/service with hundreds of thousands of users. Threat actors may gather usernames easily when the username is the person’s email address. Other ways to gather usernames include previous data breaches, enumeration techniques on platforms, or through social engineering.
Compile a list of passwords to use: The hacker then compiles a list of common or frequently used passwords. This list could come from previous data breaches, but it usually comes from freely available lists of commonly used passwords published online. hackers typically adjust these passwords based on the password complexity policy of the app or service they’re targeting.
Attack launch: In what is really the only step of password-spraying attacks involving anything remotely technical, the attacker uses an automated script or a tool to try the list of common passwords against each target username. Typically this step involves limiting login attempts to avoid account lockouts.
Analyze results: After the initial spray, the attacker reviews which accounts they were able to access. Successful logins mean that they now have access to those accounts and can exploit them further based on their objectives (stealing data, ransomware installation, further social engineering, etc.).
Password spraying isn’t particularly complex from a technical standpoint; evading detection when trying to log in to accounts is perhaps the most involved part of the attack technically. One method for avoiding detection is slowing down the attack by spacing out their login attempts over hours, days, or even weeks to blend in with regular traffic.
Threat actors might also use multiple IP addresses or a botnet to distribute the login attempts to make it harder for intrusion detection/prevention systems to identify a pattern or single malicious source. After gaining access to a user’s account, smart attackers avoid making immediate, noticeable changes. Instead, they might create backdoors, study internal patterns, and plan actions that don’t draw immediate attention.
Password Spraying vs. Credential Stuffing
Password spraying and credential stuffing are two of the most common account compromise attacks so it’s worth diving into more of a comparison between them.
One helpful way to grasp the difference between password spraying vs credential stuffing is in the approach. Password spraying is a broad-stroke approach because attackers use a few commonly used passwords and try them across many accounts. Credential stuffing is more specific in that it uses known username-password combinations (usually obtained from previous breaches) and tests them on selected platforms or services.
Another useful way to contrast these different account hacks is in the data source. When thinking of credential stuffing vs password spraying, remember that the former uses stolen credential data from previous breaches while password spraying uses knowledge about common, weak passwords as the data source.
Lastly, the main objective of credential stuffing is capitalizing on users’ habit of reusing passwords across multiple platforms. The primary objective of password spraying is to identify accounts with weak passwords.
The Implications of Successful Password Spraying Attacks
Like any attack that manages to successfully infiltrate a user’s account, a successful password spraying attack can have a cascade of consequences for your company. These outcomes range from immediate operational impacts to long-term financial and reputational damage.
- Unauthorized access: The most direct consequence of a password spraying attack is unauthorized access to user accounts. This access can give attackers the ability to view, steal, or manipulate sensitive data depending on the privileges associated with the compromised accounts or the ability of the hackers to elevate their privileges.
- Data breaches: With access to internal systems, attackers can eventually exfiltrate confidential information, including intellectual property, employee details, customer data, and financial records. This kind of breach regularly leads to significant financial penalties under modern data privacy regulations.
- Other financial losses: Beyond potential fines, you might face direct theft if attackers gain access to financial accounts or payment systems. There can be costs associated with remediation efforts, including system repairs, forensic analysis, and strengthened security measures.
- Reputational damage: The public disclosure of a security incident, especially one that could have been prevented with better password policies, can significantly damage a company’s reputation. Customers, stakeholders, and partners may lose trust in an organization’s ability to properly safeguard data.
- Operational disruption: Attackers that access a user’s account might not just steal information but also disrupt important business services. For example, they could deploy ransomware and render critical systems inoperative, causing downtime, and potentially leading to revenue loss or business continuity issues.
In a strong demonstration of the implications of password spraying attacks, an Iranian-backed threat group stole sensitive data from U.S. defense, satellite, and pharmaceutical organizations. The attacks occurred between February and July 2023, and they demonstrate that password spraying is a threat across even the most stringently guarded sectors. The fact that an advanced threat group used password spraying also shows how technically adept threat actors don’t shy away from what sounds like a low-probability attack.
Strengthening Authentication Against Password Spraying
Strategies to bolster authentication against password spraying can focus at both the individual and company levels.
For Users
Encourage the use of long, complex passwords that combine uppercase and lowercase letters, numbers, and special characters. Passphrases, which are longer sequences of words or letters, can also be effective and memorable. Passwords like “Password123”, “letmein”, or “welcome1” are often the first to be tried in password spraying attacks. Using unique, less predictable passwords is essential.
Even if a password is compromised, multi-factor authentication (MFA) can prevent unauthorized access by requiring an additional verification step, such as a code from a smartphone app or a hardware token. But this protection can’t do anything if users don’t understand its importance and switch it on for their accounts.
For Companies
Enforce robust password policies that require regular password changes, prevent the reuse of previous passwords, and mandate minimum password complexities. Regular training sessions can make employees aware of the threat of password spraying and the importance of adhering to your password policy.
Use security systems and tools to detect unusual login patterns or multiple login attempts across various accounts, which could indicate a password spraying attack. And don’t forget to set up some sort of MFA mechanism for user logins to business services like virtual private networks and remote desktop protocol.
Advancements in authentication have a lot of potential in combating password spraying threats. Fingerprint, facial recognition, and iris scanning offer personalized authentication methods, and they’re increasingly being integrated into devices and systems for an extra layer of security.
Physical tokens that generate one-time codes or scan fingerprints offer a robust second factor in MFA, which makes it harder for attackers to gain access without the physical device. Kelvin Zero’s Multi-Pass is an example of a physical token in the form of a universal biometric pass for authenticating employees and clients. A single card stores as a non-reversible biometric fingerprint template on which users can authenticate their fingerprint to access digital, remote, and physical IT environments.
Risk-based authentication is another option that adjusts the authentication process based on the risk level of the user or transaction. For example, logging in from an unfamiliar location might trigger additional security checks.
Recent Examples
Aside from a couple of examples already alluded to, here are some more recent examples of password spraying attacks.
FastCompany Breach
A September 2022 breach of business magazine FastCompany stemmed from a password spraying attack in which threat actors tried logging in with the password pizza123 on several of the magazine’s WordPress accounts. This tactic worked, and it resulted in hackers pushing obscene notifications to Apple subscribers of the magazine, tarnishing the brand’s reputation.
Citrix
Citrix also suffered at the hands of Iranian hackers carrying out password spraying attacks. In 2019, hackers stole reports, blueprints, and business papers by hacking into internal Citrix user accounts with nothing more complex than password spraying tactics.
Use Cases: Implementing Effective Authentication Measures
One case study saw BNP Paribas Bank saving $778,000 by implementing MFA. The bank introduced MFA across 160+ critical systems and apps.
The usefulness of MFA is that even if an attacker correctly guesses a password during a spraying attack, they’d still need the second factor (like a unique code sent to a user’s phone) to gain access, which makes unauthorized entry considerably more challenging.
CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) solutions are also useful for strengthening authentication. These CAPTCHAs challenge users with tasks that are easy for humans but difficult for bots, like identifying objects in images, matching puzzles, or deciphering distorted text. By requiring users to solve a CAPTCHA after a certain number of login attempts, automated password spraying tools can be effectively halted, as they typically can’t solve CAPTCHAs.
Rate limiting is another layer of defense that restricts the number of login attempts allowed from a specific IP address or user account within a set time frame. By slowing down the number of attempts an attacker can make, rate limiting can make password spraying impractical or extend the attack timeline so much that it becomes unfeasible.
Conclusion
Password spraying is a menacing type of cyber attack that remains a persistent threat to companies, many of whom still depend on passwords for authenticating users who log into apps and systems. While many larger enterprises enforce stricter password complexity requirements than before, password spraying attacks can still be effective.
And with Iranian nation-state actors successfully using password spraying as recently as 2023, it’s not worth dismissing or ignoring the possibility that it can happen at your business. Neglecting this threat can result in dire consequences, ranging from data breaches to severe operational disruptions.
By proactively adopting advanced authentication methods like multi-factor authentication (MFA) and routinely educating users about the importance of unique and strong passwords, you can significantly mitigate the risk posed by password spraying attacks. Better still, moving away from passwords to more advanced authentication methods like biometrics can further strengthen resilience against account compromise.
Multi-Pass from Kelvin Zero seamlessly helps you transition away from passwords to fingerprint-based authentication. Our smart card can be used to log in remotely, to digital services, and to physical workstations. Unlock the future of authentication.