Password Spraying: What It Is and How to Avoid Falling Victim to It

March 31, 2020 |

Password spraying has become one of the most effective ways for cybercriminals to access accounts, but what is it exactly and how can you prevent becoming a victim of it? Here’s what you need to know.

The Cybersecurity and Infrastructure Security Agency (CISA), which is part of the U.S. Department of Homeland Security, defines password spraying as a “type of brute-force attack in which a malicious actor uses a single password against targeted user accounts before moving on to attempt a second password, and so on.” This is different from more traditional password cyberattacks because those typically target one account, trying a variety of passwords before becoming locked out and moving on to another account. Password spraying is the opposite. With a password spraying attack, the hacker targets a list of accounts and uses common passwords to attempt to gain access to any of them, remaining undetected and avoiding lockouts.

Password spraying attacks can happen on all types of accounts, from webmail to remote desktop access to cloud-based services. 

As for how to prevent password spraying from happening to you or an employee at your organization, here are some recommendations:

  • Set up multi-factor authentication for any accounts containing sensitive company and/or customer information. Doing this means you will be alerted via another method of communication (text, email, etc.) if someone is attempting to login as you. Read this past BARR blog that goes into more detail about MFA.
  • Use complex passwords. Hackers using password spray attacks are looking for quick and easy access, so the more complex your passwords are, the less likely you’ll be a victim of password spraying. BARR recommends passwords be at least eight characters long and consist of a combination of letters, numbers, and special characters. Here are some great tips from Google on increasing password strength. BARR also recommends using an online password manager, like LastPass.
  • Establish a strong password reset policy. Passwords should expire within a timeframe that makes sense for your organization, and should not be reused. But we stress that doing this only works if you are enforcing strong password complexity rules.
  • Don’t forget cybersecurity basics. Things like keeping your apps, operating systems, and software updated and using caution when opening email links or attachments are all necessary ways to better secure your data.
  • Monitor for frequent account lockouts. CISA says a typical password spray attack consists of a higher-than-normal rate of failed login attempts over a period of time (for example, one hour). And, believe it or not, many password spray attacks are attempted in alphabetical order by user account name.
  • Look for unusual IP addresses. If you’re noticing employees logging in from inconsistent IP address locations, that’s a red flag that someone is attempting to hack into their accounts.

If you suspect one of your accounts is part of a password spraying attempt, we recommend immediately changing your password to something more complex and contacting your IT department.

Overall, increasing attention on how your company is alerted and monitoring its employees’ online security could ward off future hacks. 

Questions about password spraying or how your organization can tighten up and strengthen its cybersecurity defense efforts? Contact us for a quick consultation. 

Let's Talk