Password spraying: what it is and how to prevent it

As cybercrime continues to grow in frequency and intensity, no Internet-connected business is immune. According to the FBI’s Internet Crime Report 2021, the Internet Crime Complaint Center (IC3) received a record 847,376 complaints in 2021, a 7% increase from 2020. Similarly, the Consumer Sentinel Network of the Federal Trade Commission (FTC) has recorded over 5.7 million reports filed. by consumers in 2021, including 25% for identity theft. Despite rising rates of cybercrime, many companies are not implementing strong authentication technologies such as two-factor authentication (2FA) or multi-factor authentication (MFA).

Cyber ​​threats are constantly evolving and becoming even more complex, aggressive and harder to detect. The sophisticated techniques used by threat actors today are capable of circumventing even the most advanced security systems. That being said, cyberattacks of any kind or scale – from a highly advanced ransomware attack to a relatively simpler password spray attack – can have a devastating impact on businesses of any size. In this article, we take a closer look at password spray, how it works, and how to better protect your business and data against it.

What is password spray?

Password spraying is a type of high-volume brute-force attack. In this type of attack, the threat actor attempts to gain unauthorized access to accounts by using a list of commonly used passwords across a large number of usernames. For example, an attack will use a password (for example, [email protected]) or a small list of popular passwords and try to log in to many different accounts on the app.

A password spray attack takes advantage of poor user password practices. This technique is also known as “weak and slow”, because the attacker maintains an interval between each login attempt to avoid detection and account lockout.

Password spraying against brute force

A brute force attack is a trial and error method in which the attacker attempts to compromise an account by guessing the password. As the name suggests, the attacker tries to forcibly gain access to user accounts by trying to match a list of passwords to a username in the hope that one of the combinations matches. This continues until the attacker finds the correct match.

Brute force attacks are not feasible for today’s smarter applications where account lockout policies can be implemented. These applications can detect a possible intrusion and block the account after a few unsuccessful login attempts. Brute force attacks take time because the attacker must space out attacks to avoid being detected or blocked.

Password spraying is arguably the upgraded version of brute force, capable of effectively evading intrusion detection and account lockout. Password spraying is similar to brute force since both methods are trial and error and attempt to guess the correct password. However, in a brute force attack, the threat actor uses multiple passwords to attack an account, while in a password spray attack, the attacker targets large volumes of usernames with some commonly used passwords.

Password spraying vs credential stuffing

Password spray attacks involve the use of a small list of passwords against a large number of user accounts. However, in credential stuffing attacks, threat actors use automated tools to match large volumes of usernames and passwords across multiple sites, until one of the login credentials matches. Today’s advanced credential stuffing programs are able to evade security features built into web applications. They leverage bot technology to make multiple connection attempts simultaneously while masking IP addresses, making them appear as if they come from different sources.

How does a password spray attack work?

  1. A malicious actor begins by creating or acquiring a list of accounts to spray against. Most companies follow a formal convention for email addresses (for example, [email protected]). Once the threat actor has cracked the username pattern, it is easy to create accounts and validate it using software.
  2. Once accounts are validated, finding a list of commonly used passwords is relatively easy. The author can determine the password by searching the publications for the most common passwords each year, or by a simple search on Google or Bing. The attacker can also browse social profiles to search for details like date of birth, names of family members, favorite sports team, address, etc. For example, a combination that includes “Patriots” is a popular choice in the Massachusetts area. After carefully selecting a password, it is tested against all usernames in the list. If the first attack fails, the threat actor will wait a while to avoid triggering a lockout, then try the next password.
  3. This process continues until one of the username and password combinations works and allows the threat actor illegitimate access. The threat actor now has access to all accounts and services the user has access to, such as cloud resources on SharePoint or OneDrive. The hacker can use the exploited account to gather intelligence about the target network or gain privileged access to penetrate deeper into systems.

What is an example of a password spray attack?

Here is an example of how a password spray attack is performed:

What do password spray attacks target?

It is common for threat actors to target management services on commonly used ports when spraying passwords. Among the many common services are:

  • SSH (22/TCP)
  • Telnet (23/TCP)
  • FTP (21/TCP)
  • NetBIOS/SMB/Samba (139/TCP and 445/TCP)
  • LDAP (389/TCP)
  • RDP/Terminal Services (3389/TCP)
  • HTTP/HTTP management services (80/TCP and 443/TCP)
  • VCN (5900/TCP)
  • MSSQL (1433/TCP)
  • Oracle (1521/TCP)
  • MySQL (3306/TCP)
  • Kerberos (88/TCP)

Beyond management services, password spray attacks typically target applications using single sign-on (SSO) and federated authentication, or when IT admins create a default password to set up new users as well as external applications such as Microsoft or Google email services.

How to prevent password spray attacks?

With a variety of tools, such as MSOLSpray, Ruler, THC-Hydra, Talon, etc. readily available to threat actors, password spray attacks are relatively easy to execute. Although simple, they yield effective results because many companies still allow weak passwords and password-only logins for their customers and employees.

Below are some reliable ways you can prevent password spray attacks.

  • Apply brute force prevention on both fields (i.e. username and password).
  • Use advanced usernames and passwords that are not easily guessed. Protect your organization with stronger credentials than administrator and password123!for example.
  • Delete unused accounts with high level permissions.
  • Regularly review the permissions and adjust the scope if necessary.
  • Salt the mince: Randomize password hashes by adding a random string of letters and numbers (salt) to the password itself. This string must be stored in a separate database and retrieved and added to the password before it is hashed. By salting the hash, users with the same password have different hashes.
  • Encrypt passwords for systems with high encryption rates (preferably with 256-bit encryption). This will make it more difficult for brute force attacks to succeed.
  • Set account lockout policies after a certain number of failed login attempts to prevent credentials from being guessed.
  • Implement CAPTCHA where locking is not a viable option.
  • Admin-managed apps should require users to change their password on first login with the default password.
  • Enable two-factor authentication (2FA).
  • For Azure Active Directory environments, configure Azure AD Password Protection to eliminate the use of easy-to-guess passwords, including a list of globally banned passwords that Microsoft maintains and updates.
  • Simulate phishing and password attack campaigns in your organization to identify poor cyber hygiene practices. This will allow you to dedicate additional training if needed and create a custom banned password list for the organization.

Provide end-to-end protection for email, accounts, and data with Spanning 360

Spanning 360 is the only enterprise-class, end-to-end protection solution for Microsoft 365 and Google Workspace with advanced features to help prevent, pre-empt, and mitigate account compromise and data loss caused by phishing attacks, ransomware and malware, human error, malicious behavior, and configuration and synchronization errors.

Spanning 360 allows you to:

  • Prevention: Detect and block even the most sophisticated email threats
  • Anticipate: Secure at-risk accounts before data loss occurs
  • Mitigation: Quickly find and restore data to its original state with just a few clicks

Click the button below to learn more about the powerful features of Spanning 360.

Learn more about Spanning 360

Comments are closed.