What is a password spraying attack and how does it work?

As long as organizations permit weak passwords without multifactor authentication, hackers will continue to find ways to exploit users.

In this Q&A, Justin Jett, director of audit and compliance at Plixer LLC, explains how password spraying enables attackers to bypass the first line of defense with a relatively easy attack -- and how organizations can defend against them.

Editor's note: This Q&A was edited for length and clarity.

What is a password spraying attack and how does it work?

Justin Jett: Password spraying is an attack that will, usually, feed a large number of usernames into a program that loops through those usernames and tries a number of passwords.

As the name implies, you're just spraying, hoping that one of these username and password combinations will work. Deep down, it's a brute force attack.

What passwords does the attacker use in a password spray attack? Do they use common passwords or dictionary attacks?

Justin Jett

Jett: It can be a dictionary attack where you have these common passwords that people might use. What can also be used are credentials obtained through compromised websites because many people repeat passwords across multiple sites. Usually, it's a dictionary-type [attack], but taking passwords from sites that have been compromised is also a method that would be used.

It [also] depends on how targeted the attack is. If they're going after a specific person, they might try to use all of the usernames associated with a given email and try all of the passwords that may have been taken from compromised sites. [They may] also try those usernames they have against a dictionary cyberattack [of common passwords] as well. It really depends on the motive of the hacker.

Speaking of motive, what kinds of attackers or motives might be behind password spraying attacks?

Jett: Certainly financial. Many times, especially in the case of stolen credentials, they are a bit more targeted. Attackers will look for credentials from individuals in organizations that would likely have access to important or confidential details from the organization. They'll try to gain access through that individual within an organization to steal privileged information.

That can be financial, but that can also be information about how software that they write is built, for example, so that they could sell it to that business's competitors.

Also, if you have the ability to compromise or breach a given organization, you can reduce the trust that the public will have in that organization and influence stock prices.

There are niche areas within that, too. There is also the potential to steal customer data or personal information. In the case of a hospital, there are health records that could also be compromised. Data theft in general, whatever data is important to an individual hacker for whatever gain they see, those are all good motives for [a password spraying attack].

If a password spraying attack is going on, can you make any assumptions about the attacker? Does it indicate an advanced persistent threat group or is it a more unsophisticated attack?

Jett: I think it would be difficult to judge an attacker's level of sophistication based on whether they use a password spraying attack or not. You'd have to look at what other mechanisms were used as part of the broader attack. Are there other things that would occur?

For example, they may use a password spraying technique to try to take credentials that have been stolen and, very quickly, iterate through the logins and see if any of them work. But that is relatively trivial, generally speaking -- it's not very difficult to write a program that would do that.

But if they're doing something else beyond that -- if they're trying to bring ransomware throughout the organization or if they're trying to do a very slow data leak -- those could be considered more sophisticated. They might actually be using something rather simple, initially, to do something broader.

How can organizations detect a password spraying attack, and what can they do to defend against them?

Jett: There are a few things to cover here: Certainly, making sure that two-factor authentication is enabled on accounts will prevent these types of attacks and will make it much more difficult for hackers to make use of stolen credentials, even if they are legitimate.

[To protect] from a password spraying attack specifically, organizations should be looking at log information to see the usernames being logged into. If you see that you have users, especially across multiple users, attempting to log into systems on the network that they never have connected to, that could be a really good indication that you have a password spraying or other brute-force or credential misuse type attack that's taking place.

Network traffic data is a very good way to get this because you can take the username details from Active Directory and then you can correlate where those users normally connect on the network. When you have a hacker that is in the network, they have all of these usernames they're attempting across many devices.

If you have people in accounting suddenly trying to connect to development resources, that's a very strong indication that something is wrong there. Those types of activities should be monitored regularly and frequently to make sure that it's not happening. When it does, [you must] be able to intervene before data is stolen.

From a password spraying perspective, look at failed logins, as well, because, ultimately, many of these attempts will fail. Being able to see that you have a very large number of failures should be an indication that, wherever those failures are coming from, that IP [address] or device should be blocked from authenticating until you determine what's going on. Sometimes this means that it's just a poorly configured application [that] suddenly decided to try to log in, but more likely, it's something like password spraying.