What is password spraying?
Password spraying, also known as a password spray attack, is when an attacker uses common passwords to attempt to access several accounts on one domain. Using a list of common weak passwords, such as 123456 or password1, an attacker can potentially access hundreds of accounts in one attack.
If a cybercriminal gains access to just one of your accounts, they could have access to your:
- Bank information
- Credit card details
- Home address
- Social Security number
- And more
Password spraying vs credential stuffing
The main difference between password spraying and credential stuffing is that password spraying uses a list of common passwords to access multiple accounts on one domain, whereas credential stuffing uses just one set of credentials to attempt to access different accounts across multiple domains.
Credential stuffing takes advantage of the fact that many people use the same login credentials for multiple accounts. These are usually fully verified credentials (username and password) and are often leaked as part of a data breach.
Unlike credential stuffing, password spray attacks are typically carried out with a spraying toolkit (a collection of software tools or a single program) and by gathering usernames from a directory or an open source. The toolkit is used with commands to obtain the usernames and then spray a list of common passwords in an attempt to break in to accounts.
How to detect password spraying attacks
Detecting password spraying as a personal user
Use of MFA: Securing accounts with Multi-Factor Authentication (MFA) adds an additional authentication factor to your username and password to access your accounts, as well as notifications when a new device attempts to access them. Enabling MFA can help you detect password spraying attacks because when someone attempts to log in to your account, you will get notified to provide another form of authentication. If you receive alerts that were not prompted by you, there is a chance that you are being targeted in a password spraying attack.
Dark web monitoring: Using a dark web monitoring service to secure your data will allow you to receive notifications if any of your credentials have been breached. Dark web monitoring tools like BreachWatch® monitor the dark web for breached accounts and alert you instantly so you can take action to protect your online identity and data by changing your passwords immediately.
Detecting password spraying for businesses
Pay close attention to logins: Continuous inputting of bad usernames is generally a sign of an attack. Make sure your IT team is paying close attention to company logins and is notified when incorrect usernames are continuously inputted.
Monitor for an increase in account lockouts, authentication attempts or failed logins:: Password spraying is dangerous, but not always successful. Make sure you’re notified when failed logins occur. Monitor failed login attempts for patterns. One or two consecutive failed logins may not always cause for alarm, but several failed logins from different accounts are worth looking into.
How to prevent password spraying
Preventing password spraying for businesses
Invest in a business password manager: Business password managers are tools that aid IT administrators in enforcing the use of strong passwords that meet password policies. Not only are business password managers effective in ensuring employees are always using strong passwords, but they also make it easy for IT admins to enforce the use of MFA where it’s an option.
Educate employees on cybersecurity: Institute company-wide education for all employees on the dangers of password spraying, other cybersecurity threats and the need for better passwords. Include information on how to create strong passwords, recognise threats and what employees should do if they think one of their accounts has been breached.
Throttle login attempts: Throttling login attempts helps organisations limit the amount of attempts a user has when logging in to an account. For example, if you set the limit to three failed login attempts after a user has failed to log in three times, they’ll be locked out of their account. The only way for them to log in to their account now would be by having a system administrator help them, but only once they’ve verified their identity.
Preventing password spraying as a personal user
Use multi-factor authentication: As mentioned previously, MFA requires extra credentials to log in to your accounts and notifies you of attempted logins. Diversifying your MFA requirements adds an extra layer of security to your online accounts. For example, don’t only use Time-Based One-Time Passwords (TOTP), try using biometrics on certain sensitive accounts as well.
Don’t use common passwords: Some of the most common passwords involve words like password, love and sequential numbers. Create unique, complex passwords for each account and don’t recycle passwords. A password manager can help you generate strong, unique passwords and store them safely so you don’t have to remember them all on your own.
Stay protected at all times
The danger of password spraying has increased due to the frequent use of common passwords. According to our 2022 US Password Practices Report, 56% of respondents admitted to reusing passwords across multiple or all of their accounts.
Staying protected against password spraying starts with securing your online accounts with strong passwords – see how a password manager like Keeper® can help.