Keeping Password “Spraying” From Compromising Your Network
Cybercriminals are always looking for novel ways to gain unauthorized access to online accounts and IT networks. Password “spraying” is a newer scheme you and your IT department need to know about and guard against. Traditional cyberattacks attempt to breach a single account with multiple password attempts. But password spraying schemes use common passwords to try to access as many accounts as possible. Unfortunately, this approach can be very effective.
How and why it works
Password spraying perpetrators buy lists of usernames or email addresses and either buy or invent lists of common passwords. They then attempt to access multiple accounts using a single password. If that password doesn’t work, the criminals select a new password and keep trying until, eventually, a password opens an account. That typically enables them to hack a company’s network.
Password spraying generally works because many people choose predictable password patterns such as “abc,” “123456,” “password,” or “qwerty.” Typical business password policies introduce a degree of predictability. For example, the common requirement to capitalize at least one letter and use at least one special character and number frequently yields such passwords as “ABC123@” and “Password1!” And because many users deploy the same password across multiple sites, an easy-to-guess password can provide access to a variety of accounts.
A robust defense
As with most cybercrime, the best defense against password spraying is multi-layered. To reduce your company’s risk:
Require strong passwords. Passwords with 12 or more characters that include numbers, symbols and both upper and lower-case letters are usually harder to hack. Also, it’s a good policy to routinely check new credentials against commonly used or compromised passwords.
Mandate multi-factor authentication. This process notifies users if a login is in progress and prompts them to provide another piece of information, such as a random number sent via email or text.
Apply lockouts. Lock out users if they trigger several failed login attempts. You may want to lower the lockout threshold if a single IP address is associated with failed login attempts for multiple accounts. For example, your business’s usual threshold might be 10, but for a single IP address that triggers failed logins for multiple accounts, that threshold might be five.
Promote password managers. A password manager makes generating, storing and recalling complex, unique passwords easy.
Deploy CAPTCHA. Password spraying attacks often are automated, so CAPTCHA and similar technologies that authenticate real people can make it harder for cybercriminals to succeed.
Signs of hacking
How can you know if password sprayers are trying to hack your network? Their attempts usually show up in an organization’s authentication logs. In particular, look for:
- An unusual number of failed login attempts associated with the same password,
- A high volume of authentication attempts for multiple users from the same IP address,
- Login attempts from unusual geographic locations or outside regular business hours, and
- A sudden increase in failed login attempts compared with the percentage of successful logins.
Also, failed logins from nonexistent or dormant accounts (such as those of former employees) usually merit your attention.
Path of least resistance
Password spraying exploits the tendency to follow the path of least resistance and use the same simple, easy-to-remember password for multiple accounts. Take steps to prevent this cybercrime — and potentially serious data and financial losses. Contact us for additional suggestions.
© 2025