Scott McKellar is currently a Technical Consultant at Mimecast where he has been since early 2019. Scott has been working in the technology industry for fifteen years and is passionate about technology & security. Scott enjoys understanding his customers and prospects often complex business challenges and aligning them with technology to solve problems and add value. Prior to his role at Mimecast, Scott headed up the technology team for an Australian leading Wi-Fi analytics SaaS and IaaS provider; Discovery Technology (a Data#3 company).
The first computer passwords came into being around the 60s and attempts to crack them soon followed.
In fact, the first documented password theft resulted from good intentions – an MIT researcher wanted the time to run more performance simulations than his profile would allow, so he acquired a hard copy of the passwords used for that machine.
But most password attacks are less benign. Sixty years after that first incident, password spraying is an established weapon in the cybercriminal armoury. At the end of last year, Microsoft warned that password spraying attacks were on the rise and represented over a third of account compromises. It may not be the most subtle attack vector, but password spraying can cause your organisation serious damage if you haven’t done your homework.
What is password spraying?
Password spraying is a brute force attack. That means that rather than attempting to con individuals (as in a phishing attack), cybercriminals use a high volume of common passwords in an attempt to get lucky and break in. The chance of success of per attempt may be tiny, but by attacking at scale the hackers massively increase their chances. Once they have access, they’ll move across your network to steal data or plant malware.
Password spraying has evolved over the years. Organisations now tend to lock out users who’ve made a large number of login attempts, making attacks that use multiple passwords on a single account less successful. So cybercriminals are now more likely to “spray” a small number of passwords at a large number of accounts, working through lists of user names or email addresses in the hope that their barrage will find a target. Others use compromised passwords, often bought on the dark web, to increase their chance of success in so-called “credential stuffing” attacks.
Microsoft also notes a recent rise in attacks on cloud administrators and managed service providers as the hackers extend their search for potential weaknesses.
Bad passwords make it easy for attackers
Human error is a major source of cyber risk, with 65% of Australian organisations believing that risky employee behaviour is putting their company at risk. With password spraying, that means thinking about the most obvious password you can – someone you work with has almost certainly already used it.
Nordpass research shows that the most common password in both Australia and New Zealand is “123456”. Its lists aren’t exactly the same across the two countries – “password” is second in Australia but only fifth in New Zealand, where “123456789” takes the runner-up spot.
But blunders need not be quite this obvious to cause problems. New Zealand’s National Cyber Security Centre (NCSC) survey found that 75% respondents had accounts that used one of the top 1,000 passwords. And using the name of your department (“sales1”) or company in shared addresses could also leave you open to brute force assaults.
Detecting password spraying
Password spraying is a relatively easy attack to detect. Telltale signs include:
a high volume of authentication attempts, particularly failed logins from active users and a spike in logins from inactive accounts
a high ratio of login failures compared to successful logins
attempts to log in with bad usernames (which have likely been generated automatically)
large numbers of account lockouts
To detect password spraying attacks faster, the Australian Cyber Security Centre (ACSC) recommends automating monitoring and detection. By using alert rules in their Security Information and Event Management (SIEM), organisations can look out for a given volume of such incidents in a set period of time.
How to respond to password spraying attacks
Password spraying attacks move quickly. If you spot an attack in progress, your immediate steps should be to:
prioritise changing the passwords on privileged and admin accounts, from which hackers can cause serious damage to data and network assets
identify compromised accounts and reset their credentials using a strong password policy to prevent attackers repeatedly exploiting the account
ensure your login settings are configured to detect failed logins across multiple services to increase visibility and prevent the threat spreading
Activate your latest threat response plan, incorporating backups, communication plans and operational details
How to avoid getting soaked
You can make yourself a harder target for future password spraying attacks by being prepared:
use multifactor authentication (MFA) such as a code sent via email or messaging to ensure attackers need more than just a password to break in
consider additional security controls such as geo-blocking or requiring users to connect via a virtual private network (VPN)
set up frequent training sessions to share information on threats and the implications of a compromised password, as well as giving tips on strong passwords and password tools
review your password management and enforce strong passwords (the ACSC has guidance on good passphrases) as well as policies on user lock-outs and password resets
increase monitoring and threat intelligence – your SIEM can correlate logs from multiple sources and block spraying attacks
run penetration testing to assess vulnerabilities across login processes and across your network
avoid using passwords altogether via biometrics: voice-activated and facial recognition access are harder to breach than strings of characters
limit access to valuable data and consider implementing zero-trust policies
Shielding yourself from password spraying
As we’ve seen, attempts to hack passwords are almost as old as passwords themselves. Password spraying attacks aren’t subtle, but they can be very effective, and leave your organisation open to data theft and malware. Make yourself a hard target with strong password management, access controls, user training and effective monitoring. The rise of biometrics may mean we’re nearing the end of the password’s golden age – but until then, keep the keys to your digital kingdom close to your chest and stay safe out there.