What is password spraying?Posted on 17 October 2018 by Beaming Support
Password spraying is a type of brute force attack where the hacker tries to gain access to an organisation’s systems by testing out a small number of commonly used passwords on a large number of accounts, on the assumption that within a large group of people, there’s likely to be at least one using a common password. This slower approach (as opposed to “blasting” the same account with multiple passwords concurrently) allows hackers to attempt to gain access to multiple accounts without getting locked out, which would alert the target to what’s happening.
How does it affect businesses?
Hackers gain information about a company and their employees from freely available information published online and via websites as well as company and personal social media accounts. They can identify the people that work within the organisation and if they are able to find one username then the likelihood is that the other user accounts will be of a similar format e.g. firstname.lastname. Hackers will look to use passwords that are used quite often such as “Password123” which many people (still, despite warnings) use when they are unable to think of a password or just want a quick and easy one. If the hacker were to gain access to an email account via OWA (Outlook Web Access), where users can access emails via an internet browser rather than using the Outlook application, for example, they would be able to pick up other users’ email addresses from a global address list to try theirs as well. Confidentiality of email communications would be breached and if they also managed to access a company server then they would be able to view private data that could either be sold or used as a bargaining tool to extort a ransom.
How can a password spraying attack be recognised and stopped?
A password spray attack can be flagged up in various ways. Look out for user accounts being locked out consistently. Administrators are able to see the IP addresses that users are logging in from and can check whether these differ from the usual. Accounts can be disabled immediately by administrators if any suspicious anomalies appear.
To prevent a password spraying attempt from being successful we would recommend these basic measures:
- Security policies should include what kind of applications and data can be accessed remotely.
- Implement rules on creating strong passwords that cannot easily be guessed.
- Introduce two-factor authentication to company applications to add an additional layer of security.
There’s more information about password spraying available on the NCSC’s website.