The most sophisticated hacking operations often use surprisingly simple methods to gain access to major targets. Bad password hygiene is the most common culprit in a cyber incident.
The practice of password spraying got some much needed attention recently during a Senate hearing about the SolarWinds hack, which compromised the United States Treasury, Commerce, State, Energy, and Homeland Security departments, and a host of well known companies including Intel, Nvidia, Cisco, and VMWare.
Password spraying is a simple and effective exploit that compromises credentials by using well-known or commonly used passwords, e.g. “Password,” “password123,” “qwerty,” or deploys passwords that might be likely in a particular area (e.g., steelers1! in the Pittsburgh area.)
A hacker using password spraying will attempt to log in to several accounts within a network, often thousands at a time, until it finds one that uses this successfully.
Unlike brute force attacks–where a long list of random passwords are tried against a single account and credential stuffing where login/password combinations from previous data breaches are tried to access an account–password spraying takes a shotgun approach.
Password spraying has an advantage over other forms of authentication attacks because it is less likely to trigger security software and firewalls programmed to lock accounts after a set number of failed login attempts. By trying one weak password against several accounts, the attempted hack is more likely to go unnoticed than an attack on a single account or a handful of accounts.
- Password spraying is predictive, and targets bad password hygiene.
- Password spraying may have been used in the SolarWinds attacks.
- Authentication attacks like password spraying and credential stuffing can be rendered ineffective by using strong, unique passwords and enabling multi-factor authentication on accounts.
- Requiring strong passwords at the administrative level and blocking widely known, easily guessed login/password combinations will help protect against the password spraying approach.