Blog Post
Loading table of contents...
Loading table of contents...
The average person juggles close to 100 passwords. It’s no surprise that password reuse is common, but that behavior leaves businesses and individuals alike more vulnerable to compromise.
From password spraying to credential stuffing, cybercriminals are constantly trying to crack passwords to gain unauthorized access. They then use that foothold to steal data, redirect funds, or move laterally within an environment.
Breaches tied to poor password practices can cause millions in damages. The infamous SolarWinds hack, allegedly enabled by an intern’s weak “solarwinds123” password, is just one example of how simple credentials can cause enterprise-scale damage.
The good news is anyone can defend against these attacks with a few simple actions. Keep reading to learn more about password spraying attacks and to find actionable tips for detecting and preventing them.
Why passwords are a persistent problem
We’ve relied on passwords to keep hackers out of our accounts for decades. When done right, they can still do that relatively effectively. But the average person simply has too many accounts to keep track of, which means we use predictable, easy-to-remember passwords like a pet’s name instead of something more complicated or obscure.
Meanwhile, cybercriminals use advanced tools and automation to test thousands of passwords per minute. Even basic attacks can be surprisingly effective when users choose weak or reused credentials.
So, we have people using passwords that are simpler than they should be, unintentionally weakening their own defenses. Meanwhile, tactics for guessing them become increasingly advanced. This is largely why passwords have become more of a cybersecurity problem than the solution they were meant to be.
Password spraying & other password-based attack methods
The first step in solving the password problem is familiarizing yourself with how hackers target accounts with weak credentials. When you know the various risks in advance, it becomes much easier to prepare for them.
With that in mind, here are some of the most common password-based cyberattacks today.
Brute force attacks
Brute force may be the easiest tactic cybercriminals try when attempting to access a site or server. These attacks use trial-and-error to guess a specific user’s password. With enough time and automation, attackers may eventually land on the right combination.
Credential stuffing, a subtype, involves using known usernames and passwords stolen from previous breaches. Attackers test these credentials across multiple sites, hoping for a match.
The main cyberattacks you need to know this year and beyond.
Account lockout policies are the best way to defend against brute-force attacks. They lock the account down after several failed login attempts (often three or five). Microsoft explains that “limiting the number of failed sign-ins that can be performed nearly eliminates the effectiveness of such attacks.”
Dictionary attack
Dictionary attacks are a more refined brute force technique. They try to take advantage of our tendency to use simple one-word passwords.
Hackers have created so-called “cracking dictionaries," which feature the dictionary words that are most commonly used as passwords. A cybercriminal will work through a cracking dictionary—often using automation or other tools—until lucking out and accurately guessing an account’s password.
Personalized dictionary attacks can be even more effective, although more time-consuming. They focus on words that are meaningful to one user specifically instead of everyone, like a birthplace or child’s name.
Key logger or keystroke attacks
Key logger attacks involve using a program to record a user’s keystrokes. This allows the hacker to access any account the victim uses while the key logger program is active.
To perform a keystroke attack, a cybercriminal must first convince an unsuspecting user to download the malicious software. Cybercriminals typically distribute keyloggers through phishing emails, embedding malware in links or attachments.
Password-spraying attacks
Finally, there are password-spraying attacks. These are high-volume attacks in which a hacker takes a common password and uses it to try to log into as many different accounts as they can.
Password spraying uses the opposite technique of brute force attack. It cycles through usernames, using the same password until finding a match.
For cybercriminals, one of the key advantages of password-spraying attacks is they don’t trigger account lockouts. This allows hackers to continue targeting up to every account on a network until they find one using the password they’ve singled out.
These attacks are easier to execute than they might sound. Here’s how:
1. Collect usernames
It’s not hard for cybercriminals to find a list of usernames. Most companies use common conventions for all of their accounts. Firstname.lastname@company.com or each employee’s first initial followed by their last name are two common approaches.
If an attacker identifies one valid address, they can guess others based on naming conventions and employee directories.
2. Find common passwords
This is even easier than step one. Here’s a list of common passwords. Here’s another. And another. As you can see, lists of the most common passwords are widely available.
Attackers may even tailor their guesses based on a company’s location or industry (e.g., "leafs" or "bluejays" for Toronto businesses).
3. Cycle through until landing on a combination that works
Now all the hacker has to do is pick a password and try it with all the accounts collected in step one. If the first one doesn’t work, they’ll simply move on to the next, again and again, for as long as they stay motivated.
Attackers need only a single successful combination to access an account. Once inside, they may monitor communications, gather more intel, and escalate their access.
Warning signs of a password spraying attack
Password spraying attacks often fly under the radar—especially if lockout policies aren’t triggered. But there are a few warning signs to watch for:
- A sudden surge in login attempts over a short timeframe
- Failed logins from inactive or nonexistent accounts
- A spike in failed logins from otherwise active users
Expert-recommended best practices to keep your business safer.
Download the Cybersecurity 101 eBook to uncover the biggest threats to your business and five best practices to enhance your cybersecurity.
Protecting against password spraying
Here are proven strategies to reduce the risk of password spraying attacks:
Use a password manager
Generally speaking, the only way a password-spraying attack can work is if a person uses a simple, easily guessed password. And it happens all the time—human memory has limits. It’s unrealistic to expect humans to remember 100 distinct passwords. We'd be locking ourselves out of accounts constantly while trying to recall which password we used for what platform.
Password managers solve this problem by generating, managing, and securely storing as many unique credentials as you need.
These tools work by creating long, complex combinations of letters and numbers to suggest passwords that would be extremely difficult for a malicious person to guess. It then stores them for you, so as long as you remember the password to your password manager, you stay protected and can access all of your accounts.
Quick tip: Putting all your details into a password manager can be time-consuming, especially if you need to go back and change passwords to something stronger. So, set aside an afternoon for some digital spring cleaning. Import your credentials to a password manager, strengthen existing passwords, and delete old accounts you don’t use. Then let the password manager do its job for these accounts and any new ones you may create.
Add more layers of authentication
Multi-factor authentication (MFA) makes it exponentially harder for attackers to access an account—even if the password is compromised.
There are three main forms of MFA:
- Passwords, passphrases, or personal identification numbers (that exist on top of traditional passwords)
- Hard tokens like USB keys or soft tokens like text messages and codes from authenticator apps
- A unique biometric characteristic, such as a fingerprint or facial recognition
Research shows that MFA can prevent up to 99.9% of automated cyberattacks and 75% of targeted attacks. Making this one change to accounts could be all it takes to thwart password-spraying attempts.
Configure robust lockout policies
When someone enters their password incorrectly too many times, they should be locked out of their account. Without such a policy, you essentially allow hackers to use unlimited password combinations to breach your accounts.
But the key is finding a balance. After all, locking legitimate users out of their accounts if they make a simple mistake while typing in their password just creates more work. That’s why many companies allow between three and five incorrect password attempts before locking an account.
On a similar note, you should also have clear policies employees can use to regain access to locked accounts. The process shouldn’t be so complicated that it disrupts productivity by keeping valid users out of their accounts for too long.
Follow the principle of least privilege
Not every employee needs access to every system. The principle of least privilege (PoLP) ensures that each user is granted the minimum level of access required to perform their job duties—nothing more.
Segmenting access based on roles and responsibilities significantly reduces the potential impact of a single compromised account. Here's why: this strategy limits lateral movement, making it much harder for an attacker to pivot across systems after breaching one set of credentials.
Your employees are your first line of defense. Set them up for success with the 2024 Employee Cybersecurity Handbook.
Set up a monitoring tool
Password spraying attempts leave traces. But detecting them manually is nearly impossible without clear visibility of the entire threat surface—cloud accounts included. Find a cybersecurity solution that monitors networks 24/7, identifies unusual login activity, and either responds automatically or notifies you of the event.
Field Effect MDR goes steps beyond this by providing access to a team of security experts who can help you respond to whatever you face. Field Effect MDR protects your network, endpoints, and the cloud-based services used by most businesses today, including Microsoft 365, Amazon Web Services, Dropbox, and Google Workspace.
Get in touch if you’d like to learn more.
Final thoughts on password spraying
Password spraying attacks are deceptively simple, yet highly effective. But, there are many ways to safeguard against them: from educating employees on password best practices to implementing policies and processes that hinder a threat actor's attempts.
For the education piece, get started with our Employee Cybersecurity Handbook. This guide outlines a wide range of cybersecurity best practices, including password management, to help everyone build better habits.
