Password spraying attacks are just one method hackers use to gain unauthorized access to systems around the world. The technique itself is not complex, and a simple online search turns up instructions even cyber-novices can follow. While the attack is relatively simple and should be easy to defend against, it is effective, and it continues to grow in popularity. The FBI recently issued a warning to help raise awareness of the threat.
How Does Password Spraying Work?
Sometimes also referred to as the “low-and-slow” method or “reverse brute force” tactic, password spraying is a type of brute force hack attempt. A brute force attack is an attempt to gain access to a system—typically using automated software to generate values / entries—by entering passcodes or other data repeatedly.
Traditionally, brute force hacks are carried out by throwing a series of passwords at a single username. These are usually done in bulk, a system pushing several login attempts from usernames with a paired list of passwords. These brute force attempts are often counteracted by automatic system lockouts, disabling an account after multiple failed login attempts.
Password spraying works in a similar, but reverse manner. Systematically, hackers will cycle through a variety of usernames using the same password for each before moving on to the next password on the list. Common passwords used by hackers include password123, 12345678, p@ssword, and more. Once a password has been exhausted, another password will be tested against the collected usernames.
How Big a Problem is Password Spraying?
Several attacks of this style have been documented by researchers. Researchers investigated over 100,000 unauthorized login attempts and found that approximately 60% of those were targeted at Microsoft 365 and G Suite users. Of the 60%, approximately 25% of users were able to be breached. It was also found that the majority of these attacks originated from China, Brazil, and the US. Using this technique, attackers are able to access the Internet Message Access Protocol (IMAP) and access users’ cloud-based services.
How Can You Protect Yourself?
Cybercrime is always on the rise and we continue to see new types and variations of attacks on a regular basis. To protect yourself from password spraying and other brute force attempts, it is always recommended to use complex, lengthy and unique passwords that utilize a combination of upper and lower-case letters, numbers, and special characters. Also, utilize two-factor authentication whenever possible. It is also best practice to mandate users rotate passwords periodically. Passwords should be unique to the site and not shared with any other login. Lastly, the users should logout after their session is complete.