Many organizations have cyber security measures in place to prevent threat actors from breaching defenses and launching their attacks. However, there may be a gaping hole in your organization’s security: untrained employees.
Threat actors can take advantage of the poor security habits of your network and system users through a technique known as password spraying in order to gain access and wreak havoc on your organization. Below, we’ll discuss password spraying attacks — demonstration video included — and what you can do to mitigate the risks.
What Is Password Spraying?
Unlike other password attacks, password spraying is when a threat actor tries one password against multiple usernames with the hope of the password being correct for at least one user account.
OWASP reports that this attack is common when “the application or admin sets a default password for the new users.” Other easy targets are organizations that don’t have password standards for their cloud-based applications and platforms.
Password Spraying vs. Brute Force Attack
Password spraying is far more effective than the traditional forced entry — brute force — methods. In traditional password attacks, a threat actor will use a hacking tool to try several passwords against a single account. However, throwing multiple passwords at one account is not always effective because many login processes have a limited number of password attempts until the account is temporarily locked.
Password spraying prevention is more difficult because the threat actor is only making one attempt per user account, which means the system will not deny access after a failed attempt.
A Deeper Look at the Password Spraying Technique
Since a threat actor only tries one password at a time, this is considered a low and slow method of password hacking, and is generally done in three steps:
- Attacker acquires a list of usernames.
- A single (usually common) password is tried against all usernames.
- The attacker gains access to an account with that password.
Kevin Mitnick, founder of Mitnick Security and Chief Hacking Officer of KnowB4 demonstrates password spraying in the below video:
Password Spraying Attack Prevention
As Kevin says, password spraying works “because people choose poor passwords.” With this in mind, organizations should look to technologies that can strengthen login security while making their employees aware of potential threats and prevention methods.
Use Strong Password Best Practices
Password spraying attack prevention starts with eliminating weak passwords. By enforcing password best practices at your organization, employee accounts will be far more difficult to compromise with a password spraying technique.
For example, employees should not reuse passwords for all of their accounts. Should a threat actor gain access to one account, they will likely try the same password across other accounts to expand their control and more easily compromise your organization’s internal systems.
Multi Factor authentication (MFA) requires a user to provide at least two factors for verification in order to gain account access. With MFA, a threat actor cannot gain entry just because they guessed a password correctly. Requiring MFA for your organization’s applications is an effective way to prevent password hacking.
To protect your organization, you can use Endpoint Detection and Response (EDR) technology, so you’ll have visibility of malicious activity and can prevent lateral movement by an attacker. Since EDR systems vary, it’s important to make sure you know what tools and processes your EDR can use to detect threats.
Get the Help of a Professional
Finding out that your organization was the victim of a password spraying attack is never good news. A cybersecurity professional can test your network and systems for vulnerabilities, including weak passwords so that you can help your employees harden security standards.
Test Your Human Factor Security Holes With Mitnick Security
Taking steps to mitigate security risks is crucial to safeguarding your organization’s operations. Password spraying attack prevention is only possible if you are aware of best practice adherence.
Mitnick Security offers services to detect vulnerabilities before the threat actors do. With our help, you can understand where you stand and strengthen your organization's security posture. Contact us for more information.