What are Password Spray Attacks and Why Should Your Business be Wary of Them?

News & Technical Blog

Cyber-threats are a constantly evolving issue, which are becoming stronger more resistant and somewhat indiscriminate their targets. It seems we hear more and more tales of business infrastructure being victim of cyber-attacks. with high profile attacks consistently making it into mainstream news.

With the significant increase in malicious activity, developers and IT leaders are under more pressure than ever to ensure that data is both available and secure. Resiliency and security can come at a high cost, though this is generally not as high as the impact of losing the integrity of your data or access to it not to mention the damage cyber-attacks can cause between business and end user relationships.

One of the most recent examples of these types of attacks target passwords. Originally, brute-force password attacks were a popular option to gain access, but this is generally no longer as effective with standard security measures such as locking accounts after minimal password attempts. To try and circumvent such measures, many opportunist hackers now use password spray attacks to disarm their targets infrastructure.

What is a password spray attack?

Password spray attacks are not new, but their occurrence is growing rapidly.

Password spraying is quite the opposite of a brute-force attack. This method takes a large number of usernames and loops them with a single password. This is when multiple iterations using a number of different passwords can be used, but the passwords attempted is usually low in comparison to the number of users attempted, ultimately avoiding password lockouts, a method that is often effective at uncovering weak passwords.

If a password spray attack is successful, US-CERT advises that these attacks can have a huge impact on a business including:

  • Exposure of sensitive information
  • Disruptions to a company’s operations
  • Huge financial losses
  • Potential damage to an organisation’s reputation

How to prevent password spray attacks

Both Brute Force Attacks and Password Spray Attacks can be halted before full exploitation – if there are related security policies in place. The first step is to being alert to the warning signs of a spray attack. US-CERT say that warning signs of a password spray attack include:

  • Huge rises in attempted logins SSO portals or web-based applications.
  • IP addresses of employee logins coming from suspicious locations. For example if your business is based in the South East of England and you see an attempted login from an IP address in another country unrelated to your business or that employee, this should be treated as suspicious.

Microsoft recommend that to keep password spray attacks from being successful, there are basic groundwork steps that include:

  • Use cloud authentication: The cloud can employ procedures that detect and block potential attacks and uses a greater landscape to look at suspicious activity.
  • Multifactor authentication: An additional security layer for your business – helping to address the vulnerabilities of a standard password-only approach.
  • Discourage weak passwords: Discouraging weak passwords is very important these days; somebody trying to breach your system will have a far more difficult time if the password doesn’t resemble anything obvious such as the company name or the employee name or date of birth. Where possible policies should be implemented that actively reject any password from being used which does not conform to the required standards.

    Some providers are also generating a list of common passwords including passwords from leaked databases and blocking them from use, making it that much harder for malicious actors to guess in these attacks.

Microsoft are a leader when it comes to security and a driver behind many of the advancements being made to combat the growth of cyber-threats. Microsoft CISO Bret Arsenault believes the company is on its way to preventing spray attacks and to a secure future with fewer passwords.

“If you have a password filter, if you have MFA and if you have strong proofing, then you’re really in a great state,” Arsenault said.

For more information on security or for advice on any of our services please feel free to contact us on 01622 524200.


By on November 14th, 2018