All you need to know about Password Spraying

In short, password spraying is a method by which threat actors attempt to log in to multiple user accounts on the same application or domain. They do this by trying to log in with a frequently used password on several different accounts until they gain access to one account. This way, they avoid the downside of brute force, which is that after too many login attempts on the same account, you typically end up getting locked out.

In the following, we will go into more detail about what exactly password spraying is, how to detect an attack, and what you can do to protect yourself against password spraying.

How does password spraying work?

In a password spraying attempt, the hacker typically makes use of software tools or programs and usernames found on a directory board or open source. In addition, they usually have a list of the most frequently used passwords, which can potentially give them access to hundreds of user accounts. They use passwords from this list to "spray" over the usernames to get a match and gain access to accounts.

By password spraying, hackers test the security of several accounts at the same time. Because this method does not test the same account several times in a row, it prevents the account from being locked due to too many failed attempts, which is a risk in a traditional brute force attack. This way, the hacker can continue the attack over a longer period of time. For the same reason, password spraying is not a targeted attack, but a more widespread method.

Therefore, user accounts with weak, old or frequently used passwords are the weak link that can give hackers access to the network. In other words, it is these types of accounts that make password spraying so successful. In addition, companies where several employees share the same password are particularly vulnerable to password spraying.

Password spraying can also include the following methods:

• Online research and the use of social engineering to target specific organizations or user accounts.
• Using frequent passwords or easy-to-guess passwords to launch a password spraying attack.
• Using compromised accounts (e.g. through a data breach) to gain access to even more user credentials and thus more accounts.
• Continuously infiltrating networks to steal data.

How to detect Password Spraying on personal accounts

By detecting a password spraying attack at an early stage, you can react and protect your accounts before any damage is done. Here's how to do it:

• Use multi-factor authentication (MFA): When you use MFA, you add an extra layer of protection to your accounts. This means that in addition to entering your username and password, you will also need to log in with either a PIN, answer a security question, an MFA app or biometric data such as a fingerprint or facial recognition. In addition, MFA will often provide you with notifications if a new device tries to log in, which can act as an alert in case of unauthorized activity.
• Keep an eye on data breach monitoring: When you use a service that offers data breach monitoring, you will be notified if your information appears in a breach. This way you can act in time, for example by changing your password. In Moxso we offer data breach monitoring, which uses data collected from hundreds of data breaches to identify security breaches. Our users are alerted in the event of a breach so they can protect their accounts and prevent compromise.

How to detect Password Spraying on corporate accounts

As a company, you typically have other options for monitoring irregularities in employee logins. IT departments can benefit from keeping an eye on:

• Repeatedly entering incorrect usernames: It is a good idea to pay attention to whether incorrect usernames are repeatedly entered when logging in, because it can be a clear sign of an attack.
• Monitoring logins: Monitoring logins on multiple accounts originating from a single host within a short period of time is an effective tool. It is one of the best defenses against password spraying.
• An increase in the number of failed logins and accounts being locked: It is also a good idea to monitor any patterns in failed login attempts and pay attention when accounts are locked due to too many failed attempts. These are obvious signs of password spraying.

How to protect yourself from password spraying?

Fortunately, there are also several security measures you can take to prevent being affected by password spraying, both for individuals and organizations. We recommend the following:

• Enable multi-factor authentication (MFA): As mentioned above, enabling MFA is a great idea because it adds an extra layer of security to your accounts. As an organization, it's a good idea to implement MFA across your organization. One of the benefits of MFA is that it not only protects against password spraying, but against almost all types of hacking.
• Password hygiene: Strong passwords are essential in general, and they protect not only against password spraying, but against hacking in general. You can use a password manager to keep track of your passwords, which you should of course never reuse. The password manager can also generate strong, long and unique passwords for you. It can be a particularly good idea for organizations to invest in a password manager.
• Introduce behavior-changing awareness training: Awareness training creates behavioral changes across the organization and can contribute to a cultural change. The training will raise awareness of current threats and teach employees how to best protect themselves against them. It is important that employees are aware of how to protect their own and their company's data.

Final thoughts

Password spraying is an effective method because many people have poor password hygiene. This manifests itself through the use of frequently used passwords, old passwords, or password reuse. For the same reason, it only takes a few employees with poor password hygiene for hackers to gain access to entire corporate networks, which can have far-reaching consequences.