The two most commonly used methods to gain access to unauthorized accounts are (a) Brute Force Attack and (b) Password Spray Attack. We have explained Brute Force Attacks earlier. This article focuses on Password Spray Attack – what it is and how to protect yourself from such attacks.
Password Spray Attack Definition
Password Spray Attacks are quite the opposite of Brute Force Attacks. In Brute Force attacks, hackers choose a vulnerable ID and enter passwords one after another, hoping some password might let them in. Basically, Brute Force is many passwords applied to just one ID.
In Password Spray attacks, one password is applied to multiple user IDs so that at least one of the user IDs is compromised. For Password Spray attacks, hackers collect multiple user IDs using social engineering or other phishing methods. At least one of those users often uses a simple password like 12345678 or even p@ssw0rd. This vulnerability (or lack of info on how to create strong passwords) is exploited in Password Spray Attacks.
In a Password Spray Attack, the hacker would apply a carefully constructed password to all the user IDs he or she has collected. If lucky, the hacker might gain access to one account from which he or she can further penetrate the computer network.
Password Spray Attack can thus be defined as applying the same password to multiple user accounts in an organization to secure unauthorized access to one of those accounts.
Brute Force Attack vs Password Spray Attack
The problem with Brute Force Attacks is that systems can be locked down after a certain number of attempts with different passwords. For example, if you set up the server to accept only three attempts, otherwise lock down the system where login is taking place, the system will lock down for just three invalid password entries. Some organizations allow three, while others allow up to ten invalid attempts. Many websites use this locking method these days. This precaution is a problem with Brute Force Attacks as the system lockdown will alert the administrators about the attack.
To circumvent that, the idea of collecting user IDs and applying probable passwords was created. With the Password Spray Attack, too, the hackers practice certain precautions. For example, if they tried to apply password1 to all the user accounts, they would not start applying password2 to those accounts soon after finishing the first round. They’ll leave a period of at least 30 minutes between hacking attempts.
Read: Password Cracking attacks, methods, prevention
Protecting against Password Spray Attacks
Both Brute Force Attacks and Password Spray attacks can be stopped midway, provided related security policies are in place. If the 30-minute gap is left out, the system will again lockdown if a provision is made for that. Other things can also be applied, like adding a time difference between logins on two user accounts. If it is a fraction of a second, increase the time for two user accounts to log in. Such policies help alert the administers, who can then shut down the servers or lock them down so that no read-write operation happens on databases.
The first thing to protect your organization from Password Spray Attacks is to educate your employees about the types of social engineering attacks, phishing attacks, and the importance of passwords. That way, employees won’t use any predictable passwords for their accounts. Another method is admins providing the users with strong passwords, explaining the need to be cautious so that they don’t note down the passwords and stick it to their computers.
Some methods help identify vulnerabilities in organizational systems. For example, if you are using Office 365 Enterprise, you can run Attack Simulator to determine whether any of your employees are using weak passwords.
What is the difference between brute forcing and password spraying?
Brute forcing attacks involve trying multiple passwords on a single account until the correct one is found, whereas password spraying involves using one password across many accounts to avoid detection. This method exploits commonly used passwords, reducing the risk of getting locked out after multiple failed attempts.
Is password spraying effective?
Password spraying can be highly effective, especially if users have weak or reused passwords. Attackers use this method to exploit poor password hygiene across multiple accounts, increasing their chances of success. Organizations should implement strong password policies to mitigate this risk.
Read next: What is Domain Fronting?
