Site Header

What is Password Spraying? Why is it different? ....



A very common technique to help protect accounts is "Locking Them", you put your password in wrong a few times and your account is then locked, so you have to wait until it wither automatically unlocks, or an admin on your networks releases it.

This works great if someone is trying to get into your account as it slows them down as they only get a few goes. Password Spraying is completely different. 

There are two things that have come together; more and more services moving into the cloud, and that includes companies providing cloud services to there staff; and the fact that a hacker is only looking for an "IN" - typically they don't care if it's your account or your someone else's.

So if you pick an online service, they take a common password and try every account in turn, then a while later they will try another password against all the accounts. This way accounts are unlikely to lock, and they are less likely to be detected, and can actually try more passwords.

Really they are spreading the attack out; and not focusing on one individual account, you might not notice as your account would be touched infrequently enough that it doesn't trigger the automatic lock.

Is it serious?

So how do you protect yourself?

  • Use a different password for every account.
  • Don't use single words, and watch letter number replacements - everyone swaps O and 0, 1 and L, S and 3 ... they don't help at all.
  • Get the length up find the max a site will let you use and go for it - long (20+ character) passwords are better than complex ones.
  • If you can turn on two factor authentication.. or if possible use an OAuth provider like Google where you need access to your phone to login.

Really you need a password manager, such as lastpass

Why have separate passwords? - A Digression

Its actually a simple but important protection method - if your password gets found out from one site, you are semi protected. A good practice to to check to see if you have been pwned. That's a list of accounts that have been exposed from websites; at the time of writing 348 of them, with over 7 and half billion accounts. 

And if an account does get compromised - you know who's.

A second digression

Those spam emails that go around saying they hacked your computer - with your username and password ( hopefully a really old one ) actually come from the same sort of places that haveibeenpwned.com uses.