What Is Password Spraying?
The basics of a password spraying attack involve a threat actor using a single common password against multiple accounts on the same application. This avoids the account lockouts that typically occur when an attacker uses a brute force attack on a single account by trying many passwords. Password spraying is particularly effective against businesses that participate in password sharing.
How a Password Spraying Attack Is Conducted
A password spraying attack happens in two steps. An attacker acquires a list of usernames, then attempts logins across all usernames using the same password. The attacker repeats the process with new passwords until the attack breaches the target authentication system to gain account and systems access.
Why Password Spraying Is Considered a Brute Force Attack
Password spraying is a brute force attack that takes a different approach from traditional brute force attacks, which try to guess a password for a single account. However, it still follows the mass trial-and-error approach that defines a brute force attack. A password spray attack is considered brute force because it guesses passwords across numerous accounts until it finds a match.
Common Signs You’ve Been a Victim of a Password Spraying Attack
Signs of a password spraying attack include:
- A high volume of login activity over a brief period
- A spike in failed login attempts by active users
- Logins from nonexistent or inactive accounts
How Password Spraying Affects Business
A password spraying attack can happen to multiple layers of a business. The attack could target customer accounts to use their information in credential stuffing across other sites. Password spraying can also be used to infiltrate a new employee’s business account. Attackers can attempt privilege escalation using stolen credentials to gain increased access to the confidential details of your business. A successful password spraying attack leaves you more vulnerable to a variety of future attacks.
What Password Spraying Can Do to a Business’s Bottom Line
A password spray attack, if successful, can cause significant financial harm to a business. An attacker using apparently legitimate credentials can access your financial accounts to make fraudulent purchases. Left undetected, this can become a financial burden on your business. Recovery time from a cyberattack usually takes two to four weeks, but in some cases can last for months.
Password spraying doesn’t just affect the finances of a business; it can significantly slow down or hamper a business’s day-to-day operations. Malicious companywide emails could cause productivity for the day to halt. A business account takeover by the attacker could cancel purchases, change delivery date of services or steal sensitive information.
How a Password Spraying Attack Affects Your Customers
One significant impact a password spraying attack can have on your business is a loss of customer confidence. If your business is breached by a brute force attack of any kind, customers are less likely to trust that their data and information is safe with you. They may take their business elsewhere, causing additional financial harm.
Another potential issue with successful password spray attacks is that the attacker can use your credentials in a phishing attack. An email sent to a customer by an attacker could cause financial harm to both you and the other party, resulting in further loss of reputation.
2023 CrowdStrike Global Threat Report
Download the 2023 Global Threat Report to find out how security teams can better protect the people, processes, and technologies of a modern enterprise in an increasingly ominous threat landscape.
Download NowHow to Defend Against Password Spraying Attacks
Enforcing Strong Passwords
Enforcing strong, complex passwords that can’t be easily guessed is a simple yet effective tactic IT teams should take to prevent password spraying attacks.
Login Detection
IT teams should also set up a detection for login attempts to multiple accounts that occur from a single host over a short window of time. This is the clearest indicator of a password spraying attempt.
Stronger Lockout Policies
One of the best ways to defend against password spraying is setting an appropriate threshold for the lockout policy at the domain level.
The threshold needs to achieve a balance between being low enough that attackers can’t make numerous authentication attempts within the lockout period, and inadvertently locking legitimate users out of their account for a simple error. It is also important to have a clear process for unlocking and resetting verified account users.