Password Spraying

Hello, world. I’m Zanidd and welcome to the Hands On Password Cracking and Security course on Code Red. In this section, we’re covering the downsides of passwords. We will also take a brief look at the alternatives to passwords at the end of the section. In this lesson, we will take a look at password spraying Password spraying is another sub-attack of brute force attacks. So, how does password spraying work? The attacker will first find a common password, for example, !password123. He now targets a company network and tries to login with this password. He tries every possible username, email address, or account name from the company network with this common password and will eventually succeed.

The more users the company has, the higher the probability of actually finding a valid credentialed pair. This attack is very dangerous because the attacker doesn’t get locked out, except afterwards when blacklisting his IP. But because he’s using a different account every time, the typical locking mechanisms, like block an account after five wrong password attempts, don’t work. The best option to defend against such attacks is to use MFA - Multi-factor Authentication. This will keep the attacker out even if he finds a valid credential pair because it doesn’t have the victim’s phone, eyes, or finger. Another additional measure can be a strong password policy combined with regular password resets.

A strong policy alone won’t necessarily prevent your users from choosing a common password. For example, the password !Password123, with an uppercase P, is also technically a strong password. It has more than eight characters, upper and lower case letters, special symbols, and numbers. But it’s a fairly common combination, and usually policies cannot check for that. We can, of course, increase the password policy requirements and say that you need at least 16 characters, but the problem is that after a while there will be 16 characters passwords that will be common. So if we can regularly reset the password, the user is forced to change its passwords, so at least he will not use the same common password every time.

Another good way is to educate the user base about this topic with security trainings and awareness workshops. We can now start to see that passwords

are problematic for one main reason: they rely heavily on the user or whatever the users pick as passwords. And humans make mistakes and are lazy, so the passwords are usually bad or just the minimum requirement from the password policy. In the next lesson, we will take a look at keylogger attacks and see how they can be used to steal credentials.