November 30th is Computer Security Day. As part of this month’s Continuing Privacy and Security Training (“CPST”), The Compliance Team sought to explain “What is password spraying?”


What is password spraying?

Password spraying is a type of brute-force cyberattack where a cybercriminal tries to guess a known user’s password using a list of common, easy-to-guess passwords such as “123456” or “password.” This process is often automated and occurs slowly over time in order to remain undetected.

Password spraying is a common method that cybercriminals use to gain unauthorized access to computer systems. For example, IBM’s/The Ponemon Institute’s 2020 Cost of a Data Breach Report found that 19% of all data breaches were the result of weak or compromised credentials. Verizon’s 2020 Data Breach Report found that over 80% of all hacking-related breaches involved brute-force methods like password spraying.

Below is everything we need to know about how to protect our organization from password spraying attacks — how password spraying works, why the High-Level executives being targeted, the risks associated with it, how to detect and stop.


How Password Spraying Works

Cybercriminals are able to use password spraying to gain unauthorized access to your systems because people often secure their accounts with obvious passwords (ones that are easy to guess). Here’s how obvious passwords make this possible.


  1. Cybercriminals Build or Buy a List of Usernames

There are “over 15 billion credentials for sale on [the] dark web” right now. So to start a password spraying attack, cybercriminals often start by buying a list of usernames stolen from other organizations.

However, quite often, cybercriminals also build their own list using the patterns that company email addresses follow (for example, along with a list of people who work at that company (from LinkedIn, for example).


  1. Cybercriminals Procure a List of Common Passwords

The most common passwords are also easy for malicious actors to find. For example, common password lists are often published in reports or studies each year. Wikipedia also has a page that lists the top 10,000 most common passwords.

Cybercriminals can also build a list of common (but less obvious) passwords with a little bit of extra research. For example, if an organization is located in New York, they could try variations of “Yankees” or “Knicks” or something else New York-related that people often love to use as a password.


  1. Cybercriminals Try Username Password Combinations

Once a bad actor has a list of usernames and passwords (U/P), cybercriminals try them together to find a U/P combination that works. They’ll often do this using an automated system that tries one password with every user and then repeats this process with the next password in order to avoid being blocked by account lockout policies or IP address blockers that restrict login attempts.


Why are High-level Executives Being Targeted

Hackers going after high-level executives is becoming the norm. C-suite executives are twelve times more likely to be targeted by cyber-attacks than any other employee in their organization, according to Verizon’s 2019 Data Breach Investigations Report. Similarly, MobileIron’s “Trouble at the Top’ report, released in 2020, found that 84% of executives experienced a cyberattack in the twelve months prior.

One reason that C-suite execs are more regularly targeted is that top-level employees are more likely to break security protocols. MobileIron also found that 76% of C-suite execs bypass at least one of their company’s security rules in the previous year, and that almost three-quarters of IT decision-makers say that “C-suite is the most likely group within their organization to ask for relaxed mobile security protocols”. It is easy to make exceptions to policy for staff who are in executive positions, but in reality, these are the most targeted accounts.

Aside from this, these individuals are often targeted simply because they’re the wealthiest person in any given business. If you’re a malicious actor planning to hack into someone’s bank account, for instance, why target low-level employees when you could go for something much more lucrative?

This is linked to another reason why execs are targeted so commonly — they often have access to the majority of a company network, because they’re involved in all parts of the business and will likely have security clearances for a number of different departments.

They’re also more likely to have high-level financial documents contained within their email cache, for instance. It’s not surprising, then, that privileged cloud accounts are also being targeted too, because they’ll let a hacker infiltrate an entire network much more efficiently.

A rise in password spraying targeting executives specifically is nothing new: Spear Phishing, the act of targeting phishing emails towards ‘Whales’ or ‘Big Fish’ as they’re sometimes referred to, has been around for years.


The Risks Associated with Password Spraying Attacks

The risks associated with a password spraying attack depend on the role of the person within the organization whose account was breached.

If the compromised account belongs to an end user (or multiple), for example, their personal data is at risk of being breached, which could impact them in a variety of ways, depending on what information a bad actor was able to access. But if that account belongs to a system administrator, a cybercriminal could steal business-critical information like the intellectual property that was stolen from Citrix in a password spraying attack.

It may seem unlikely that anyone in your organization would use a password such as “123456” to secure their account. But a 2019 study by the National Cyber Security Centre found that over “23.2 million victim accounts worldwide used 123456 as password.”

Below are several methods you can use to stop password spraying attacks regardless of user behavior, as well as several cybersecurity best practices that will help you reduce the opportunity for (and effects of) a breach.


How to Detect a Password Spraying Attack

Although conventional counter measures might not automatically detect password spraying attacks, there are several reliable indicators to look for. The most obvious is a high number of authentication attempts, especially failed attempts due to incorrect passwords, within a short period of time. Naturally, a closely related indicator is a spike in account lockouts.

In many cases, password spraying leads to a sudden spike in attempted logins involving SSO portals or cloud applications. Malicious parties may use automated tools to attempt thousands of logons within a brief period of time. Often, these attempts come from a single IP address or a single device.


How To Stop Password Spraying Attacks

Although password spraying attacks are common, they are preventable. The technologies below will eliminate a cybercriminal’s ability to use password spraying to breach the systems of any organization.


Multi-Factor Authentication (MFA)

MFA uses an additional factor of authentication (such as those used in password less authentication above) to verify a user’s identity in addition to a username/password (U/P) combination. So even if someone uses an obvious password to secure their account, unauthorized access would be prevented in the event of a password stuffing attack because that cybercriminal would not be able to fake a user’s identity with the second authentication factor.


As always, please let the eHealth Technologies’ Privacy and Security Compliance Team know if you have any questions on the privacy and security of Covered Information, including PHI, ePHI, and other Confidential Information.