Spray bottle containing passwords

What is "Password Spraying"

Simply it's method to hack accounts in bulk undetected … Let's demystify this approach.

What is Password Spraying....

There are several moving parts to Password Spraying, at its core it's designed to work around accounts being locked and to try and work under the radar. let's have a look at this technique and try and understand how it works and ways to beat it.

There are a few moving parts to how this works so let's get to it.

Accounts

Most systems you use online will require a username and a password, and typically if you enter the wrong password 3 times your then locked out for a period of time. And when your account keeps getting locked you start to notice very quickly.

The timeout is designed to slow things down, so a brute force attack will take much longer.

Data Leaks and System Compromises

The number of times account details are leaked is shocking, it happens in all sorts of ways what matters here is that all of a sudden the hacker has access to a big list of real accounts. 

Here were not to interested in the password, that's a different thing.. and your totally at the mercy of how the password is stored. 

Common Passwords

The number of people that use the same password is shocking, It's a generalisation but thinking up passwords is HARD So the same ones tend to float to the surface like “password” (really

If the system in question needs a number … you can bet there will be a 1 on the end. a capital - It's nearly always the first letter. Some people use substitutions, let's go for S3cur3  … $ for s, 3 for e, 0 for O, 1 for i .. Hackers know them as well.

If the attacker used Brute Force, all these variants are worked out automatically ahead of time, e.g. “password”, “Password”, “Pa$sword”, “pa$$word” etc. I've seen this attack used within a company.. in less than a minute about ⅓rd of the passwords were exposed including the domain admins.

Need a spray gun

Ok, they might not actually use a spray gun. But it works something like this:

  • If we take our big list of accounts, and our big list of common passwords and try one..
  • If it works game over man…. If it doesn't try the same password against another account..
  • Repeat for all accounts.
  • Then take the next password, and try for all accounts

There is no hurry in this, it's designed to be slow, so each account might only get hit every few hours but that avoids accounts being locked.

Is it serious?

  • It's getting more and move common.
  • IMAP is an email protocol... according to this article 25% of accounts looked at were breached....
  • Even companies like Citrix were vulnerable.

So how do you protect yourself?

  • Turn on 2FA (2 factor authentication)
  • Use a different password for every account.
  • Don't use single words, and watch letter number replacements - everyone swaps O and 0, 1 and L, S and 3 ... they don't help at all.
  • Get the length up find the max a site will let you use and go for it - long (20+ character) passwords are better than complex ones.
  • If you can turn on two factor authentication.. or if possible use an OAuth provider like Google where you need access to your phone to login.

Really you need a password manager, such as lastpass; which gives you passwords way down on the common password list.

Why have separate passwords? - A Digression

Its actually a simple but effective protection method - if your password gets found out from one site and it's only used on that site you are semi protected. 

A good practice to to check to see if you have been pwned. That's a list of accounts that have been exposed from websites; at the time of writing 348 of them, with over 7 and half billion accounts - ouch.

And if an account does get compromised - you know who's, and it's much less likely to spread to all your online accounts.


Mark Stringer

Lord of Tech, Whisperer of Wi-Fi, Finder of Solutions and Provider of Managed Services and Support.