What Is Password Spraying? [Brute-Force Attack Prevention]

Javed Shah

Password spraying is a risk for all organizations; if one person’s account gets hacked, the attacker could access vast amounts of sensitive information.

What is password spraying? Password spraying is a variation of a brute-force attack where an attacker will try the same password against many employees’ usernames in an organization to see if anyone uses that password.

How Does Password Spraying Work?

Password spraying attempts are a form of authentication attack where hackers leverage a dictionary of common passwords and attempt to use them against many accounts. This form of “low and slow” attack starts with the first dictionary password and attempts to use that password to log in to many accounts. It then moves to the following entry and repeats the process.

This is known as a “brute-force” attack. Rather than exploiting a hole or bug in the target’s security, the attacker simply tries to break down authentication doors by hammering login fields with thousands of password attempts.

Some of the common tactics for spraying include the following:

  • Social Engineering: In order to pick a legitimate target (usually an enterprise business or agency), hackers will use personal interactions and email phishing attempts to identify lucrative targets.
  • Common Passwords: Using common phrases like “password” or different birth date numbers can allow access to accounts where the user has not used a strong password.
  • Gather Intelligence: Once inside the system, the hacker will attempt to access a user directory and expand the attack list.
  • Exfiltrate: Hacking programs will then look for connected accounts to use as a springboard into new systems connected to similar or identical credentials in order to steal additional credentials and connected data in a process known as “credit stuffing.”

Many users might be surprised that this attack would work against modern cybersecurity tactics. Unfortunately, this attack relies on the fact that many people don’t change their passwords from defaults provided by a system or use common passwords and phrases to make remembering passwords easier.

These attacks are incredibly damaging to single sign-on and federated authentication systems where a single password allows access to multiple accounts. With this kind of setup, a compromised account can compromise multiple systems.

How Can I Prevent Password Spraying?

Like any other cyberattack, spraying can be prevented with several crucial security steps:

  • Implement Multi-Factor Authentication: The first and most important step is to implement MFA to include biometrics or other forms of verification. This approach can mitigate most password vulnerabilities at the point of attack. If the hacker needs to receive a text on a user’s phone or scan a fingerprint, it’s much harder to break into the system.
  • Force Use of Strong Passwords: Even with MFA, users should implement strong passwords longer in form, including special symbols, and avoiding common phrases or words. With this approach, you can avoid almost all dictionary-based attacks.
  • Omit Passwords as the First Authentication Step: Spraying attacks will target user-facing authentication interfaces. By requiring some other form first (like a fingerprint scan or code), you can minimize vulnerabilities.
  • Regularly Audit Systems: Follow zero-trust principles and never assume your system is secure. Audit systems, conduct vulnerability scans and deploy regular penetration testing.

What Should I Do if I Think My Organization Was Attacked with Password Spraying?

The truth is that many organizations may have already been subject to a spraying attack, and this attack may have been successful in accessing systems and stealing information.

Generally, there are a few tell-tale signs that your organization has been a victim of password spray attack:

  • Numerous login attempts across multiple accounts in a short period of time.
  • A high volume of rejected credentials is associated with those login attempts.
  • A sudden increase in locked accounts due to too many login attempts.
  • Increased activity across SSO or cloud authentication services.

This isn’t a catastrophe. If you even suspect that there has been a password attack in your organization, then there are some steps you can take to mitigate and remediate the problem:

  • Switching to MFA: Most identity and authentication providers will offer some MFA service, even if it involves passwords and email links.
  • Implement Training for Password Security: If your company insists on sticking with password systems, then train your employees on password protection best practices. This includes making complex passwords, not reusing passwords across systems, using password management systems, and spotting phishing attempts.
  • Deploy Auditing Systems: These systems log user and access events, including failed login attempts, repeated login attempts, or elevated permissions for user accounts.
  • Go Passwordless: Passwordless authentication systems omit the need for passwords with other safer forms of authentication (e.g., biometrics and token-based verification) and digital certificates tied to devices, thus eliminating the risk from spraying.

Shore Up Authentication Security with 1Kosmos BlockID

Modern authentication and identity management is working to mitigate attacks like spraying, but they don’t go far enough. A truly secure system will have to deploy a unique and powerful combination of passwordless security, decentralized ID management, and exceptional user experiences to minimize phishing, password hacks, and brute-force attacks.

1Kosmos does just this. We bring next-level authentication to enterprise customers with advanced biometrics, compliant identity proofing, and strong, decentralized ID management.

Features of BlockID include the following:

  • Identity Proofing: BlockID includes Identity Assurance Level 2 (NIST 800-63A IAL2), detects fraudulent or duplicate identities, and establishes or reestablishes credential verification.
  • Identity-Based Authentication Orchestration: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through identity credential triangulation and validation.
  • Integration with Secure MFA: BlockID readily integrates with a standard-based API to operating systems, applications, and MFA infrastructure at AAL2. BlockID is also FIDO2 certified, protecting against attacks that attempt to circumvent multi-factor authentication.
  • Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API, including private blockchains.
  • Privacy by Design: 1Kosmos protects personally identifiable information in a private blockchain and encrypts digital identities in secure enclaves only accessible through advanced biometric verification.

To learn more about passwordless security and advanced authentication, read our whitepaper: A Journey to Passwordless Authentication and Digital Identity Proofing. Also make sure to sign up for the 1Kosmos newsletter to get the latest updates on our products and services.

Overcoming Resistance to Change on the Journey to Passwordless MFA
Read More
Meet the Author

Javed Shah

Former Senior Vice President Of Product Management

Javed has spent his entire twenty year career designing and building blockchain and identity management solutions. He has led large customer facing pre-sales teams, led product management for identity management platforms like the ForgeRock Identity Platform and the ForgeRock Identity Cloud. Javed has an MBA from UC Berkeley.