Protect against password spraying

Businesses operating in cloud-native environments can be especially susceptible to certain types of attacks, with both their company’s and their customers’ sensitive data at risk. Password spraying, also known as a password spray attack, has proven to be one of the most effective attack methods in the digital era. While sometimes confused with credential stuffing, password spraying represents a different attack vector targeted at the weaknesses of the traditional password.

In this article, we’ll explain how to prevent password spraying attacks and how they're different from credential stuffing, with recommendations on how you can protect against them.

What is a password spraying attack?

Password spraying is a type of brute force attack: A cyberattack where a hacker tries to access a secure account of verified account users through trial and error by repeatedly entering random credentials like passwords with 'brute force' until one works. With password spraying, instead of trying a large number of passwords against a targeted account, the same password is used, or 'sprayed,' at many accounts simultaneously.

The vulnerability of passwords and account lockouts

Most authentication systems are programmed to both prevent password spraying and brute force attacks by locking out the account after entering the wrong password three times, known as account lockouts. Many organizations set a default password for new users, which can be easily exploited in password spraying attacks. Password spraying tries to bypass this defense technique by only using common passwords and spraying them across a wide range of different user accounts, avoiding account lockouts and minimizing failed login attempts.

Plenty of password data exists in the public realm for attackers to glean from. For example, Nordpass publishes an annual list of the 200 most commonly used passwords for educational purposes that can be used by attackers in their password spraying attempts. Other common targets of password spraying attacks are passwords based on easy-to-guess personal information, such as birthdays or names. Weak passwords, combined with a lack of account lockout policies and password complexity requirements, make it harder for organizations to detect password spraying attacks and render them more vulnerable.

How do attackers choose their targets?

Password spraying attacks typically target cloud-based services such as Microsoft Office 365 or other popular email providers. Attackers usually look for login pages where the username/email field is publicly visible, as this simplifies the process of finding valid usernames and complex passwords to spray against. They may also look for login portals that do not have multi-factor authentication (MFA) enabled, making it easier to gain access using just a password. As a result, organizations using cloud-based services are particularly vulnerable to password spraying attacks if they do not have adequate security measures like MFA in place.

Password spraying vs. credential stuffing

While password spraying is often used interchangeably with credential stuffing, there’s a key difference. In a credential stuffing attack, attackers use known compromised usernames and passwords (often exposed in large data leaks), to gain access to a user's password accounts by testing these known credentials on different services to see if passwords have been re-used. This enables attackers to access multiple accounts belonging to the same user.

Password spraying, on the other hand, does not assume to know a particular users’ compromised credentials. Instead, it targets the fact that humans are predictable, commonly using passwords like “Password123” or “P@assword1” or “Qwerty123.” The goal of password spraying is not to gain access to a specific account, but rather any account with a weak password. This is why it’s important for users to have strong passwords and unique passwords for each of their accounts - and why it's equally important for businesses to implement additional security for when this is not the case.

Aside: Both credential stuffing and brute force attacks seek to gain access to sensitive information by compromising a user’s login credentials. While organizations can prevent traditional brute force attacks by configuring authentication systems to limit the number of password attempts, the best method for preventing password spraying and credential stuffing is to move to more modern password solutions or passwordless solutions. Stytch passwordless authentication employs alternative methods such as biometrics, SMS one-time passcodes, or email magic links to verify a user’s identity, eliminating the need for credentials to be stored in a database that can be breached. Learn more.

The ripple effects of a password spraying attack

As mentioned, in a password spray attack, attackers typically start by obtaining a list of usernames and then use common passwords to attempt access. Once the hackers have identified a valid username and password combination, they can gain unauthorized access to the account without immediately alerting security systems.

With access to even a single account, attackers can escalate their privileges by exploiting security vulnerabilities or by using social engineering techniques to gather more sensitive information from compromised accounts (otherwise known as ‘phishing’).

Aside: Stytch's "unphishable" Multi-Factor Authentication (MFA) leverages advanced public-key cryptography along with security keys and biometric login features to provide robust protection against phishing. Unlike traditional MFA methods, Stytch uses a two-key mechanism: a public key stored on the server and a private key only the user can access. This setup ensures that capturing public data doesn’t compromise security. Learn more.

Far-reaching consequences

The damage of password spraying attacks can have ripple effects, going far beyond the point of access to the account. For example, if an attacker obtains access to one password for an email account, they can reset passwords for other linked services, further compromising the user's digital security. Advanced attackers may use this foothold to spread laterally within a network, targeting higher-privilege accounts and extracting or encrypting valuable data for ransom. As a result, the initial stages of a password spraying attack, although seemingly benign, can have far-reaching and devastating consequences for individuals and organizations alike.

Practical prevention measures

Historically, the most effective prevention measure against password spraying attacks has been to ensure that strong, unique passwords are used (no easy feat). This makes it harder for attackers to guess or spray passwords across multiple accounts.

But given that many humans will always opt for memorable (read: vulnerable) passwords, a strong fraud prevention and authentication protocol is now table stakes for any modern organization's security roadmap, including measures like multi-factor authentication (MFA).

Additionally, organizations can implement security tools like intrusion detection systems (IDS) and intrusion prevention systems (IPS) to detect and prevent suspicious patterns of activity on their network. These systems use advanced algorithms to analyze network traffic and identify potential attacks, including password spraying attempts.

How Stytch can prevent password spraying attacks

Stytch offers cutting-edge authentication solutions to help modern organizations combat password spraying attacks.

• By anticipating our human tendency towards password reuse, Stytch offers a breach-resistant Password solution that protects users against using weak and compromised credentials to avoid data breaches.
• Stytch Device Fingerprinting identifies unique characteristics of a user's device, such as the operating system, browser version, screen resolution, and even unique identifiers like IP address, helping distinguish between human and machine to safeguard against brute force attacks like password spraying. This reduces the likelihood of unauthorized access, as suspicious devices can be flagged and blocked.
• Stytch ‘unphishable’ Multi-Factor Authentication (MFA) adds an extra step in the authentication process, requiring users to provide a one-time code or use biometric authentication before gaining access. This ensures that even if passwords are compromised through password spraying attacks, there is an additional layer of protection in place.
• In addition to these features, Stytch also offers secure and easy-to-use single sign-on (SSO) solutions. With SSO, users can log in once and gain access to multiple applications without having to remember multiple passwords, reducing the risk of password spraying attacks but also improving user experience by simplifying the login process.

By working with Stytch, developers and businesses can greatly reduce the risk of password spraying attacks and other common forms of cyber threats. Learn more about our flexible, modular authentication solutions and get started with Stytch today.

Build auth with Stytch

Read the API docs