Skip main navigation

New offer! Get 30% off your first 2 months of Unlimited Monthly. Start your subscription for just £35.99 £24.99. New subscribers only T&Cs apply

Find out more

Password Spraying

In this video, Zanidd explains how password spraying works and presents remedies to prevent it from happening, such as multi-factor authentication.
Hello, world. I’m Zanidd and welcome to the Hands On Password Cracking and Security course on Code Red. In this section, we’re covering the downsides of passwords. We will also take a brief look at the alternatives to passwords at the end of the section. In this lesson, we will take a look at password spraying Password spraying is another sub-attack of brute force attacks. So, how does password spraying work? The attacker will first find a common password, for example, !password123. He now targets a company network and tries to login with this password. He tries every possible username, email address, or account name from the company network with this common password and will eventually succeed.
The more users the company has, the higher the probability of actually finding a valid credentialed pair. This attack is very dangerous because the attacker doesn’t get locked out, except afterwards when blacklisting his IP. But because he’s using a different account every time, the typical locking mechanisms, like block an account after five wrong password attempts, don’t work. The best option to defend against such attacks is to use MFA - Multi-factor Authentication. This will keep the attacker out even if he finds a valid credential pair because it doesn’t have the victim’s phone, eyes, or finger. Another additional measure can be a strong password policy combined with regular password resets.
A strong policy alone won’t necessarily prevent your users from choosing a common password. For example, the password !Password123, with an uppercase P, is also technically a strong password. It has more than eight characters, upper and lower case letters, special symbols, and numbers. But it’s a fairly common combination, and usually policies cannot check for that. We can, of course, increase the password policy requirements and say that you need at least 16 characters, but the problem is that after a while there will be 16 characters passwords that will be common. So if we can regularly reset the password, the user is forced to change its passwords, so at least he will not use the same common password every time.
Another good way is to educate the user base about this topic with security trainings and awareness workshops. We can now start to see that passwords
are problematic for one main reason: they rely heavily on the user or whatever the users pick as passwords. And humans make mistakes and are lazy, so the passwords are usually bad or just the minimum requirement from the password policy. In the next lesson, we will take a look at keylogger attacks and see how they can be used to steal credentials.

This video explains how password spraying works and presents remedies to prevent it from happening.

Password Spraying is a type of brute force attack where the attacker finds a common password and tries to login to a company network by trying every possible username with the common password.

Remedies to prevent this type of attack include multi-factor authentication, a strong password policy combined with regular password resets, and security training.

Investigate and share: Can you find any mention in the media of a recent password spraying incident? Share your findings in the Comments section at the bottom of this page.

This article is from the free online

Advanced Cyber Security Training: Hands-On Password Attacks

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now