How to protect against password spraying attacks

Based on findings from a Microsoft threat intelligence team, numerous technology and business outlets reported that Iranian hackers were targeting companies in the defense, satellite, and pharmaceutical sectors. According to Axios, the group, known as Peach Sandstorm, had been breaking into internal systems using a hacking technique called ‘password spraying.’ 

Below, learn what password spraying is, how it works, and why using a password manager can help protect against password spraying attacks.

In its official report about Peach Sandstorm, Microsoft wrote, “Between February and July 2023, Peach Sandstorm carried out a wave of password spray attacks attempting to authenticate to thousands of environments. Password spraying is a technique where threat actors attempt to authenticate to many different accounts using a single password or a list of commonly used passwords. Unlike brute force attacks that target a single account using many passwords, password spray attacks help adversaries maximize their chances for success and minimize the likelihood of automatic account lockouts.”

As noted above, password-spraying cyber criminals use the same password across many different accounts; chances are, they will successfully authenticate at least one account. They could come up short on 499 of 500 accounts, but if the 500th succeeds, they may hit pay dirt. 

The process typically takes place in the following three common sequential steps:

1. Acquire list of usernames: Gaining a list of username accounts for an organization is often easier than it sounds. Most companies have a standardized, formal convention for emails that double as account usernames, such as firstname.lastname@company.com.

2. Begin spraying passwords: Locating a list of commonly used passwords is also extremely easy. Each year's top passwords can be found with a simple Google or Bing search and are even published on Wikipedia.

3. Gain account & system access: A common password often works against at least one account in the organization. If just one user isn’t following password best practices, the spraying attack will be successful.

While anyone can be vulnerable to password spraying attacks, organizations that manage and store large amounts of sensitive data are ideal targets because of the potentially substantial payoff. Unlike other types of cyber attacks that may run into enterprise-wide perimeter and network security resistance, password spraying is effective because it targets an IT security Achilles Heel: weak passwords/credentials.

The 2023 Verizon Data Breach Investigations Report found that the three most common ways cybercriminals access an organization are through ‘stolen credentials, phishing, and exploitation of vulnerabilities.’ To understand how we’ve gotten to this point, it’s helpful to understand the prevalence of insecure password habits and practices.

The 2023 Bitwarden World Password Day Survey found that 85% of respondents reused passwords across multiple sites, and 58% relied on memory for their passwords. 19% admitted to having used “password” as their password. Over a quarter (26%) of those who reuse passwords have been reusing the same password for over a decade, and 60% have used the same password for 3+ years. Needless to say, these aren’t encouraging statistics. A reused password is a weak password because it opens the door to multiple accounts being breached, and relying on memory makes it much more challenging to utilize strong and unique passwords. 

One of the best steps to prevent users falling victim to password spraying attacks is proper detection. Here are three signs to look for that indicate systems and organizations may be in the midst of a password spraying attack:

1. Sudden spike in failed logins: Since password spraying covers so many accounts within an organization at once, a high number of failed login attempts within a short time span is one indication of password spraying.

2. High number of locked accounts: Password spraying avoids timeouts by waiting until the next login attempt. However, if you see an unusually high number of locked accounts this could be a clue that hackers have sprayed once, gotten locked out, and are waiting to try again soon.

3. Unknown or invalid user attempts: Hackers conducting password spraying aren’t likely to have a completely accurate list of username credentials. They’re either guessing or have purchased an outdated list online.

While it’s probably impossible to prevent all successful password-spraying attacks, utilizing a password manager and two-factor authentication (2FA) can mitigate risk. 

Password managers like Bitwarden are effective because they allow users to generate, save, and manage logins safely and securely, from anywhere on any device. They eliminate the need, and temptation, for password reuse by guarding against users defaulting to weak passwords because they make it easy for people to create unique usernames and passwords from any location or device. The stronger the password, the less likely cyber criminals are to crack it; if every password is unique, a single password compromise will remain siloed and won’t risk additional accounts. For more on creating strong passwords, check out the Bitwarden recommendations for password strength best practices. 

Another method for creating even more safeguards around sensitive data is to utilize two-factor authentication (2FA). By requiring authentication from a secondary device upon login, 2FA prevents a malicious actor from accessing data even if they discover the user’s password, and most reputable password managers offer and enable 2FA. 

Employee cybersecurity awareness and training are crucial in preventing password spraying attacks. Here are some tips to help employees stay safe:

1. Use strong and unique passwords: Employees should use strong and unique passwords for all accounts, and avoid using the same password across multiple accounts.

2. Enable multi-factor authentication: Employees should enable multi-factor authentication (MFA/2FA) whenever possible, to add an extra layer of security to their accounts.

3. Be cautious of phishing attacks: Employees should be cautious of phishing attacks, which are often used to steal login credentials.

4. Report suspicious activity: Employees should report any suspicious activity, such as multiple failed login attempts or unknown user attempts, to the IT department immediately.

By following these tips, employees can help prevent password spraying attacks and protect their organization’s sensitive data.

Ready to experience the benefits of a password manager with Bitwarden? Quickly set up a free Bitwarden account, or keep your team protected online by initiating a 7-day free trial of our business plans.