Not all that long ago, an attacker who wanted to break into a user account would often resort to brute force attacks. Brute force attacks are simple to perform, and, as long as the attacker had plenty of computing power and patience, these attacks tended to be successful. Since then, however, IT shops have learned how to aggressively protect against brute force attacks. Initially, this meant implementing account lockout policies that would cause an account to be automatically disabled following multiple unsuccessful login attempts. Over time, organizations began adopting other protective password measures, such as password salting. Did all of this stop attackers? Of course not. They simply moved on to other kinds of attacks, including password spraying.
A password spraying attack is essentially the opposite of a brute force attack. While a brute force attack targets a specific account and attempts every possible password combination, a spray attack attempts to use one password, or relatively few passwords, against a large number of accounts.
There are any number of ways in which an attacker might attempt a password spraying attack, but the general idea is to attempt to use popular, often-used passwords against a large number of accounts. For example, one of the organizations that I worked for many years ago had a policy of responding to password reset requests by using “password” as a temporary password. The user would, of course, have to change his or her password upon logging in, but at any given moment there were probably at least a couple of users in the company whose passwords were “password.”
Hopefully, no security-conscious IT organization would consider using a single default password--especially one like “password”--in response to all password reset requests. So, how does an attacker figure out which passwords might be good candidates for use in a spray attack?
Today, it seems like almost every website in existence requires some sort of user logon. As we all know, some websites are far more secure than others. The last several years have seen countless examples of websites being hacked, including the sites of large retailers.
So, with that in mind, imagine that an attacker manages to perform a credential harvesting attack against a large website. Such a site may have millions of accounts, so the sheer scale of the data that has been harvested makes it impractical for an attacker to manually cherry pick credentials. What an attacker can do, however, is perform a statistical analysis of the compromised credentials to find out which passwords are the most commonly used. After all, the attacker knows two things.
First, the attacker knows that if a substantial number of people are using a particular password, then there is a really good chance that other people (whose accounts were not compromised in the attack) are probably using the same password.
Second, the attacker knows that people tend to use the same password on multiple sites. How many of your own users, for example, use their work password on social media sites or on retail sites?
The point is that a large credential harvesting attack gives an attacker an easy way of making a list of popular passwords. The attacker might then use the three to five most popular passwords in a spray attack.
So, the real question is, how can you protect your organization against a password spraying attack? One of the most effective things you can do to prevent this sort of attack is to require multi-factor authentication.
If your organization uses domain joined Windows machines, then another great option is to enable Windows Hello. Windows Hello allows users to authenticate into their computers using biometrics or by supplying a PIN. The reason why Windows Hello is so effective is that it eliminates the need for passwords. Even if a user chooses to authenticate using a PIN, the PIN is never transmitted across the network. Instead, the PIN unlocks the local machine and a certificate is used to authenticate with Active Directory.
When you really stop and think about it, passwords are a relic from many decades ago. It is becoming increasingly clear that passwords are problematic from a security standpoint, and that they have outlived their usefulness. Organizations would do well to adopt more modern authentication technologies.