What Is Password Spraying And How They Work

 When we think of password hacking, we probably imagine a hacker trying several hundred passwords on a single account. While this is still happening, sometimes a hacker will do password spraying. Let's break down what password spraying is and what we can do to defend against it.

What is Password Spraying?

While a “normal” hacking attack involves trying lots of different passwords across multiple accounts, password spraying is the opposite. It occurs when a hacker has access to many different account names and tries to crack them using only a few passwords.

Hackers will not use “normal” hacking methods if account security is tight. A secure system will notice someone repeatedly trying to access the account and will lock it to protect the target's privacy. We have probably experienced this ourselves when we entered our password into the wrong service too many times, it would lock us out.

If hackers only use a small number of passwords per attack, which passwords do they use? The hacker's best bet is to use some of the most commonly used passwords on the internet. That way, they were maximizing the chances that they would be able to bust through that small window of opportunity.

Are the Passwords We Use Weak?

Are the Passwords We Use Weak

Of course, this attack is completely dependent on someone using a commonly used password on their account. However, in this day and age, what are the chances that someone will use one of these passwords?

Unfortunately, our password habits haven't improved much over the years. The NCSC conducted a study on willing organizations to test how vulnerable they are to spraying attacks. They found that 75% of organizations have at least one account that uses a password in the top 1000 passwords, and 87% have at least one account that uses a password in the top 10000.

This is a weakness in security that password spraying seeks to exploit. All it takes is for one user in an organization to use a weak password for the spraying attack to work. Once the hacker is logged into the account, they can use this influence to get deeper into the system.

Who is at risk of being exposed to password spraying?

Who is at risk of being exposed to password spraying

Typically, hackers use this attack on large businesses and organizations. They also use password spraying against users in database leaks, where hackers have a large number of account names at their disposal but no passwords. Any situation where a hacker has multiple accounts to go through, but only has a limited window to attack each one, is when password spraying becomes the preferred method of attack.

Hackers choose password spraying when accounts have heavy penalties for incorrect entries. If a hacker gets information about a website's account, but that website only allows five password attempts before locking out the account, a hacker will use the five most used passwords in hopes of people using them.

Are There Real Cases of Password Spraying?

In an ideal world, everyone in an organization would use a strong password to prevent spraying. Unfortunately, hackers have had success in the past with this tactic, so much so that Redmond Mag reports how password spraying saw a number of cases in 2018.

Many attacks are focused on business, perhaps to steal valuable business documents for profit. Organizations can also have a username structure that makes it easy for hackers to compile a list of names to attack.

Threatpost has reported how Citrix's software virtualization business was hit by a spray attack after one of its accounts was compromised. The hackers took valuable business documents through permissions found on the accounts they accessed. The scary part of this attack is how silent it is, because due to the “low down” nature of password spraying, it doesn't cause any alarm or cause for concern.

How to Defend Against Password Spraying

How to Defend Against Password Spraying

The solution to this attack is very easy, use a better password! Password spraying depends entirely on us using passwords that are on a list of the 100 or so most used passwords. By making our passwords more complex, we break out of the pool of passwords that the sprayers would use against us. For starters, if your password is one of the worst passwords, be sure to change it right away!

Protect Ourselves With Stronger Passwords

Now that we know what makes a weak password, what makes a good password? The problem with passwords is that the more complex they are, the stronger they are, but the harder they are to remember. The reason people use passwords like “password” or “12345” is because they are easy to remember and easy to type. It doesn't have any capital letters or weird symbols in it, but that's what it takes to help beat password spraying attacks.

Password spraying is a significant problem for users and businesses that don't use strong passwords. Sometimes, all it takes is one account to have a weak password, and the hacker can use leverage to do further damage in the system. Luckily, by strengthening our passwords and using 2FA, we can defend ourselves.

________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ ________

That's all the information this time. Look forward to other interesting information and don't forget to share this information with your friends. Thank you…

Resa Risyan

Just an ordinary person who wants to share a little knowledge, hopefully the knowledge I provide can be useful for all of us. Keep in mind! Useful knowledge is an investment in the afterlife.