Password Spraying Attacks and How to Prevent Them

Have you heard of password brute-force attacks? A brute-force attack is when attackers try to compromise an account by guessing its password. Let’s say an attacker is trying to compromise the account of the user “john” by brute-forcing the account password. The attacker will first generate a password list to use. They can either use a dictionary of common passwords found online, or a list of likely passwords generated based on knowledge of the user. Then, the attacker uses a script to rapidly fire off login attempts to the service. They try to log into the service with the username “john” and different passwords from the password list until they find the correct one.

username: john, password: 123456
username: john, password: password
username: john, password: 12345678
username: john, password: qwerty
username: john, password: password123
username: john, password: abc123
username: john, password: letmein
username: john, password: qwertyuiop

But, modern applications are getting smarter. The majority of web applications now implement account lockout policies. If an application detects that an account has more than a few failed login attempts in a short timeframe, the application will block the account from further logins. The application will often notify the user of the failed login attempts and alert system admins of a possible intrusion attempt. This means that traditional brute-force attacks are no longer feasible for the majority of applications. To avoid account lockouts, attackers will have to space out their password guesses. This makes brute-forcing too time-consuming. That’s why attackers are utilizing an attack called “password spraying” as an alternative to brute-forcing.

What Is Password Spraying?

Password spraying is also known as the “low-and-slow” method. It's a technique attackers use to prevent account lockout and intrusion detection while guessing passwords and gaining access to accounts. During a password spraying attack, the attacker attempts to access a large number of accounts with a small list of commonly used passwords. They will first try to login to all the usernames with the first common password before trying the second common password across all accounts, and so on. For example, login attempts generated by a traditional brute-force attack look like this:

username: john, password: 123456
username: john, password: password
username: john, password: 12345678
username: john, password: qwerty
username: chris, password: 123456
username: chris, password: password
username: chris, password: 12345678
username: chris, password: qwerty

While the login attempts of a password spraying attack look like this:

username: john, password: 123456
username: chris, password: 123456
username: dave, password: 123456
username: richard, password: 123456
username: john, password: password
username: chris, password: password
username: dave, password: password
username: richard, password: password

By trying the same password on a large number of accounts, attackers can naturally space out the guesses on every single account. And because many users use weak passwords, it is often possible to get a hit after trying just a few of the most common passwords.

Password Spraying Targets

Attackers utilize password spraying attacks when they simply need to gain access to a system using an account. In this case, they do not need to compromise any specific individual account. They can use whichever account they crack to get privileged access to business platforms and gather intelligence or compromise other aspects of corporate security. Attackers are especially known to target password spraying attacks towards accounts on single sign-on (SSO) systems. If attackers can gain access to a single platform using password spraying, they can gain access to the entire SSO system.

How To Prevent Password Spraying Attacks

Unfortunately, password spraying attacks are simple to execute and often yield effective results. There are even open-source tools, such as THC-Hydra, that allows attackers to run password spraying attacks with a single command. But password spraying attacks only succeed when organizations permit weak passwords and do not implement Multi-factor Authentication (MFA). So, a reliable way of preventing password spraying attacks is to enforce strong password policies for all users and to implement MFA on all login endpoints. Outlined below are some rules for strong passwords that can be enforced as a part of your password policy. These can help prevent password spraying attacks as well as more traditional password guessing attacks such as dictionary attacks. Strong passwords should be at least eight characters long. They should not contain phrases commonly used in passwords, such as “password”, “qwerty”, or “secret”. Every password should contain uppercase letters, lowercase letters, numbers, and special characters. They should not contain an employee’s personal information, such as their department name, username, or birthdates. And finally, previous passwords should not be reused. You should also implement MFA for all logins. Multi-factor authentication adds to the security of your application and prevents password spraying attacks completely. You can outsource MFA to a third-party provider like Okta Verify, Authy, or Google Authenticator. It's especially important to implement MFA for all logins if your organization uses a single sign-on system. If a single login does not have MFA implemented and becomes compromised, the compromised account could, in turn, be used to access the entire SSO system. You can also enforce session-based rate limiting. Instead of locking down an account if it has had many failed login attempts, you can check to see if the same IP address or password pattern is used to login to multiple accounts. This should alert you that there is a possible password spraying attempt in action and you can block that IP address from future logins. For example, the tool fail2ban scans log files and bans IP addresses that have too many failed login attempts.

Could My Account Be Sprayed?

If you are curious whether your account can be sprayed, or whether your password is a common credential found in password lists, you can check out a list of common passwords here.