Password spraying is a high-volume attack technique where hackers are using several popular passwords to test multiple user accounts to gain access. Trying a single password on more than one user account helps hackers to bypass the regular lockout protocols, allowing them to try more and more passwords before trying another password on the same account.
Hackers may use as many passwords as possible in a dictionary or an edited list of common passwords to follow individual users and periods. Password spray is not a targeted attack, it is just a wrong actor who gets the most likely, famous or similar passwords to sign in all accounts and access the activated directory. Password spraying is not a targeted attack.
The secret to password spraying is that weak link hackers will use user accounts with older or common passwords to access the network. Sadly, spraying passwords also succeeds, since too many users do not follow best protection procedures for passwords or choose security convenience.
The most common passwords of compromised accounts in 2019 included obvious and simple number combinations, first names, and ironically, the word “password” itself. Any hacker armed with a large bank of common passwords can ably hack into accounts and cause devastating data breaches.
If that isn’t scary enough by itself, today’s tech-savvy hackers have adopted more precise approaches, focusing on single sign-on (SSO) authentication and guessing credentials to gain access to multiple applications and systems.
How Password Spraying Can Be Prevented
Use multi factor authentication: One of the best ways to prevent any kind of hacking attempt is to enable multi-factor authentication across an organization. That way, users will have to provide two or more verification factors to sign in or gain access to applications and accounts, thereby reducing the risk of password spraying.
Use strong passwords: The strongest defence against attacks is a good password. Conduct risk management programmes for workers and apply solid passwords beyond first names, obvious passwords, and quick sequences of numbers.
Use password management programs: Conduct regular reviews of passport management programs and software in organizations. Invest in password management software to effectively manage user accounts and add an extra layer of security.
Have proper procedure in the workplace for password management and user lockouts: Password reset and user lockout applications are popular and common in organisations. Ensure you have detailed processes in place at your service desk to efficiently process password resets and lockouts.
You can read about more such practices and what could be done if you suspect password spraying attacks at your organization in this article about Password Spraying
