This technique takes advantage of the fact that people often use simple and common passwords, and it also evades account lockouts typically triggered by multiple incorrect password submissions. By trying only a few passwords on each account before moving on to the next, attackers reduce the likelihood of triggering security mechanisms designed to prevent multiple failed login attempts.
Password spraying is particularly effective against organisations that do not enforce strong password policies or Multi-Factor Authentication (MFA). To protect against password spraying, organisations should implement account lockout policies, ban the use of common passwords, regularly audit user passwords, and, most importantly, employ MFA.
- Low-and-Slow Approach: Tries a few commonly used passwords against many accounts to avoid detection.
- Common Passwords: Leverages frequently used passwords such as ‘Password123’ or ‘Spring2021’.
- Evades Account Lockouts: Less likely to trigger security responses due to the low number of attempts on each account.
- Effective Against Large User Bases: Increased chances of success in environments with many user accounts.
- Real-World Example: An attacker uses password spraying to access an organisation’s email system by trying the password ‘Winter2022’ on all user accounts.
- Hypothetical Scenario: Cybercriminals target multiple social media platforms, using a list of the top ten common passwords and spraying them across thousands of accounts.
- Brute Force Attack: A cyber attack method that involves systematically trying numerous passwords to break into an account.
- Credential Stuffing: An automated attack that uses previously breached username and password pairs to gain unauthorised access to user accounts.
- Multi-Factor Authentication (MFA): A security system that requires multiple methods of authentication to verify user identity.