Password Spraying

Article Cybersecurity
Password Spraying


A few months ago we shared an article about the hundreds of colleges and universities that fell victim to the Mabna attacks. These criminals were able to infiltrate most systems with a common and simple attack method known as password spraying.

What is Password Spraying?

You may be familiar with brute-force attacks in which a hacker will try to access a single account by trying hundreds or thousands of potential password combinations. The problem with this type of attack is that, with the appropriate technical controls in place, accounts will quickly lock after multiple attempts and send alerts to the organization’s security team.

The bad guys are smarter now and have evolved their strategies to password spraying. In a password spray attack, a hacker will test a single password against multiple user accounts within an organization. They use common passwords like Spring2018 and Password123 that, unfortunately, many users are still falling back to. If the attack is not successful at first they will try again utilizing a different password, usually waiting about 30 minutes or so in between attempts to remain undetected and avoid triggering any time-based account lockouts. By hitting multiple accounts, they are more likely to successfully access a percentage of accounts.

Typical Victim Environment

Common targets for password spraying include organizations using single sign-on (SSO), cloud-based applications using federated authentication protocols, and those that haven’t yet deployed multifactor authentication. E-mail applications are often targeted as malicious hackers are able to gain access to the organization’s e-mail system from the cloud and download user e-mails, pull company e-mail address lists, and update inbox rules to forward sent and received messages to another account.

How it Works

  • Criminals will first collect a list of names and e-mail accounts within the targeted organization through simple Internet searches. They may also use social engineering tactics to identify specific user accounts through avenues like LinkedIn.
  • Next, they attempt to obtain unauthorized access to as many accounts as possible.
  • If they do successfully access an initial group of accounts, they can use those to locate global address lists and perform additional password spray attempts against the larger group of accounts.

Statistics show that even though most common passwords account for only 0.5-1.0% of total accounts, attackers will typically get a few successes for every thousand accounts attacked. Once they have access to the accounts, the hackers will attempt to move laterally within the network, and download as much data as possible.

How to Identify an Attack

Indicators of a password spray attack include:

  • A significant spike in failed login attempts against the enterprise SSO system or web-based applications. Attempts may originate from a single IP address or computer and will run over a period of time.
  • Employee logons from IP addresses resolving to locations that differ from their normal locations.

How to Prevent Password Spraying

To help prevent a password-spraying attack against your employees, your IT Team can implement one or more of the following strategies:

  • Use of multi-factor authentication (MFA)
  • Review password policies to ensure they align with the latest NIST guidelines
  • Educate users to use strong, difficult-to-guess passwords
  • Review Help Desk recommendations related to password resets for user lockouts
  • Establish a list of banned passwords – research commonly used passwords and deny users the ability to use those during initial set-up and resets
  • Use IT resources or engage with a third party to perform ongoing password spray tests against your employee accounts

For questions about this type of attack, or to engage with CampusGuard’s Penetration Testing Team to discuss options for password spray testing, contact us.

Some additional guidance from the Penetration Testing team is below:

[Sullivan]: While password complexity rules can help users create stronger passwords, they still tend to look for the easiest way to comply with the rules with the least amount of effort, which leads to predictable passwords. Centralized logging and alerting, not connecting sensitive login systems to the internet, and blacklisting common passwords can help detect and prevent the effectiveness of this technique.


About the Author
Katie Johnson

Katie Johnson


Manager, Operations Support

As the manager of Operations Support, Katie leads the team responsible for supporting and delivering CampusGuard services including online training, vulnerability scanning, and the CampusGuard Central® portal. With over 15 years of experience in information security awareness training, Katie is also the Product Lead for CampusGuard’s online training services. As a Senior Customer Relationship Manager for a limited number of customers, Katie assists organizations with their information security and compliance programs and is responsible for coordinating the various teams involved.