/ Security

Password Spraying: Can You Avoid It?


Password spraying isn’t a new term, but it’s an important one to remember in today’s ever-evolving technology landscape. Auth0 defines it as, “a type of brute-force cyberattack where a cybercriminal tries to guess a known user’s password using a list of common, easy-to-guess passwords such as ’123456‘ or ’password’. This process is often automated and occurs slowly over time in order to remain undetected.”

If you’re wondering how hackers have your username, account information, or email, it’s surprisingly easy. There are massive quantities of names, email addresses, accounts, and passwords on the dark web – an information database of all the compromises over the last couple decades, some that you know about, and some that you don’t.

How does password spraying work?

It all begins with an unfortunate poor password. Poor passwords are the weakest form of authentication and yet the most widely used. Today, we have passwords for everything and we understand how difficult it can be to remember them all. We’re expected to create new, complex strings of letters, numbers, and special characters for each login we use, both in our personal lives and in our daily work. It’s certainly a common challenge.

Mediocre and easily guessed passwords lead cybercriminals to successfully use password spraying to gain unauthorized access to your accounts and systems. Auth0 explains how it works:

  1. Cybercriminals build or buy a list of usernames – there are over 15 billion credentials for sale on the dark web right now. So to start a password spraying attack, cybercriminals often start by buying a list of usernames stolen from other organizations.
  2. Cybercriminals procure a list of common passwords – the most common passwords are easy for bad actors to find as reports or case studies include common password lists annually. They can also build a list of common passwords themselves.
  3. Cybercriminals try username password combinations – once a bad actor has a list of usernames and passwords, they put them together and find a username/password combination that works. They often use an automated system that tries one password with every user and then repeats this process with the next password in order to avoid being blocked by account lockout policies or IP address blockers that restrict login attempts.

How can you avoid a password spraying attack? You can create more complex passwords (even though you already have more than enough!) Try using a passphrase, it may make it easier to remember than a combination of random words. However, avoid using personal information in your passphrase. For example, you might use: !ha8WhtRabbit$ or c0mplxp@sswrdsRdumb!

You can use Passwordless Authentication as well. This eliminates passwords altogether – sounds nice, right? It authenticates a user by scanning biometrics, verifying ownership through a link in your email account, verifying possession of a device through a text message, among other options.

And don’t forget about Multi-Factor Authentication. MFA adds another layer of protection to the login process. Many of the factors in MFA are the same as the ones being used in Passwordless Authentication. Even if a weak password is being used, cybercriminals wouldn’t be able to gain unauthorized access due to the second authentication factor. They can’t fake your biometrics!

Staying up to date on the actions of cybercriminals is more important than ever before. It’s our job to keep your company secure, so you can focus on what you do best. If you want to learn about our security solutions, contact us today. Let us help you Get There on your digital transformation journey safely and securely.

Related Resources