Password spraying 101: An overview + password spraying protection tips
April 27, 2022
Password spraying is a type of brute force attack where cybercriminals take common passwords and “spray” them across several accounts to try hacking potential victims. You might think of password attacks as random attempts at hacking credentials, but it has grown into an elaborate process of trial and error.
There are tricks to help protect yourself from password spraying. Turn this ultimate guide on for the ins and outs of password spraying, including:
- How password spraying attacks work
- Password spraying vs. credential stuffing
- Signs of password spraying
- How to recover from password spraying attacks
- How to avoid future password spraying attacks
How password spraying attacks work
A password spraying attack can be summed up in three steps:
- Cybercriminals find or purchase a list of usernames online: Hackers will either search for or purchase credentials on the dark web to use for password spraying. Some may even find company email address patterns to hack the usernames of a given company.
- They try different credential combinations until successful: At this point, the act of password spraying begins by trying different combinations of usernames and passwords, often through an automated system. Cybercriminals will repeat this process with different combinations to avoid account lockouts.
- They gain access to user accounts: Once the hackers uncover a user's simple password, they’ll have access to that user's personal information, which can lead to identity theft or an account takeover.
Password spraying is a lengthier brute force attack. When hackers make multiple log-in attempts in a short amount of time, this flags the site of an intruder. However, password spraying works around this roadblock and helps prevent hackers from getting locked out by moving on to a different username after one failed login attempt.
Password spraying vs. credential stuffing
Credential stuffing is like password spraying in that they both use usernames found online. However, credential stuffing instead uses automated tools to try large numbers of stolen credentials.
Password spraying doesn’t use any tools and instead focuses on finding verified usernames and common passwords online. Instead of using an automated tool to try different passwords, hackers instead use verified usernames and try logging in with common passwords with patterns like “1234.”
Signs of password spraying
If you think you or your household has been affected by password spraying, check out some warning signs below.
- An increase in account lockouts
- Increased failed login attempts
- Unknown or invalid user login attempts
The above signs may indicate some sort of brute force attack, especially when it comes to password spraying. Keep reading to find out how you can recover from this kind of cyberattack.
How to recover from password spraying attacks
If you’ve noticed some strange activity occurring that’s attributed to password spraying, there are several measures you can take to protect the security of both your credentials and your organization’s.
Change passwords immediately
The first order of business should be to change your simple passwords that may be putting you at risk of more complex passwords. Creating a strong, hack-proof password doesn’t have to be overly complicated, either.
Consult your organization’s cybersecurity department
If the attack occurs at work, it’s a good idea to consult your organization’s cybersecurity or IT department about the potential issue. This can help them identify other breaches and see if there is an ongoing, organized attack.
Identify failed login attempts or locked accounts
Check with your household members to see if they have also noticed failed log in attempts or locked accounts, because they are signs of password spraying. By identifying the warning signs of password spraying, your household can better protect itself from security breaches.
Investigate the cause and culprits of the attack
Finally, turn your recovery into prevention. Investigate the cause and culprits of the attack and address the weak points of your passwords that they were able to target. You may even consider using a Virtual Private Network (VPN) or multifactor authentication to help prevent future attacks.
How to avoid future password spraying attacks
Help prevent password spraying attacks with the following measures and keep your data safe from password breaches.
Use complex passwords
Simple and common passwords are at high risk of being compromised. When creating a password, make sure it utilizes numbers, capitalizations, special characters, and other parameters to make a complex, strong password.
Change passwords periodically
Passwords should be updated periodically—whether it’s once every couple of months or a few times a year. When changing your password, it’s a good idea to create a new one instead of one too similar to your previous password. This way, you’re less likely to have your credentials hacked in the event of a password attack.
Use multifactor authentication
When your login page asks for your phone number or a backup email to authenticate that you are who you say you are, this is called multifactor authentication, also known as two-factor authentication. Enabling this across your devices can help prevent credentials from being hacked.
Invest in cybersecurity measures
Be sure to invest in cybersecurity measures like antivirus software, VPNs, and password managers to protect your personal data.
Password spraying is one of many brute force attacks that cybercriminals use to access personal and confidential information. By changing complex passwords periodically and utilizing multifactor authentication, you can minimize your chances of becoming a victim of password spraying. Strong passwords will ultimately keep you and your data safe as you explore the digital world.
Cyber threats have evolved, and so have we.
Norton 360™ with LifeLock™, all-in-one, comprehensive protection against viruses, malware, identity theft, online tracking and much, much more.
Try Norton 360 with Lifelock.