phone-red Call us about IT Support in London 020 7572 0000

How to protect your business against a password spraying attack.

Byte-size Bulletin by Rachael Brown in Security, News on Sep 8, 2021


One of the most common, and easy ways hackers operate is by compromising passwords. 

Often to do this, they use a technique known as 'password spraying'. 

Password spraying is a coordinated attack that works to break down your security and compromise your logins.

Here's how a password spraying attack works, and how you can prevent it from impacting your organisation. 

What is it?

A password spraying attack put simply is a different version of your typical brute force attack. In a brute force attack, an attacker will go through an exponential number of passwords to attempt to crack a single account. 

But with a password spraying attack, the attacker will target multiple accounts with the same password. In one, as the name implies, 'spray'. 

They are trying to find a user account configured with a known, breached or default password. Especially as more and more password lists of victims of data breaches are published online. 

An attacker can avoid the risk of account lockouts by using this technique. Here's how: 

  • Most accounts have a lockout policy. This is where administrators establish a limit on the number of login attempts permitted before an account is locked for a set time. 

  • Password spraying means attempts to enter accounts are spread out, helping to avoid lockouts which not only waste their time but also risk alerting the owner of the account. 

Attackers may target an environment with common passwords that are found as password defaults or found in known or breached password lists.

If an attacker sprays these passwords across many user accounts, they are likely to find a user account configured with a known, breached, or default password.

How to prevent these attacks?

Password spraying is used by cyber criminals to breach valuable and sensitive data.

In the context of a company, which deals with extremely sensitive corporate and consumer data, a breach is to be avoided at all costs. 

So, what steps can you take to prevent these attacks specifically? 

Well, the first thing you need to know is that password security is always going to require a multi-layered approach. There is no magical cure or singular defence that will keep your personal data and logins safe. 

Here are some ways you can protect your business: 

1. Enforce account lockout policies. So hackers will be locked out of trying and the account owner alerted after too many attempts. 

2. Have an internal password policy that ensures standards of length, complexity, content and use when it comes to passwords.

3. Use breached password protection. This is where you use a third-party tool to scan your active directory environments to identify and change employee passwords found on breached password lists.  

4. Implement multi-factor authentication. This means hackers even if they have the logins needed to breach an account do not have what they fully need to authenticate. 

5. Use a password manager. They create and store complex passwords for you, making your accounts significantly more secure. Keeper is one of the most innovative and easy to use password managers currently on the market. 

Photo by Parth Shah on Unsplash

Subscribe to our Bulletins

Free Download

Is IT a bottleneck to your company’s growth?

Discover how small business IT support can be a strong ally in making you more productive and competitive.

Download Ebook