When you think of password hacking, you probably imagine a hacker trying several hundred passwords on a single account. While this still happens, it's not always what happens; sometimes a hacker will perform password spraying instead.

Let's break down what password spraying is and what you can do to defend yourself.

What Is Password Spraying?

If a "normal" hacking attack involves trying many different passwords on a few accounts, password spraying is the inverse of that. It's when a hacker has access to a lot of different account names and tries to break into them by only using a few passwords.

Hackers won't perform the "normal" hacking method if account security is tight. A secure system will notice someone repeatedly trying to access an account and will lock it down to protect the target's privacy. You may have experienced this yourself when you enter your password into a service incorrectly too many times---it locks you out.

If hackers are only using a small number of passwords per attack, which passwords are they using? The hacker's best bet is to use some of the most commonly used passwords on the internet. That way, they maximize the chance that they'll be able to break in through that small window of opportunity.

Are the Passwords We Use Weak?

Weak passwords written on a note
Weak password concept. Password 123456 on a memory stick.

Of course, this attack depends wholly on someone using a commonly-used password on their account. In this day and age, however, how likely is it that someone will use one of these passwords?

Unfortunately, our password habits haven't improved much over the years. The NCSC performed a study on willing organizations to test how susceptible they are to a spraying attack. They found that 75% of organizations had at least one account that used a password in the top 1000 passwords, and 87% had at least one account with a password in the top 10,000.

This is the flaw in security that password sprayers aim to exploit. All it takes is for one user in an organization to use a weak password for a spraying attack to work. Once the hacker gets into that account, they can use this leverage to go deeper into the system.

Who's at Risk of a Password Spraying Attack?

A hacker using a laptop

Typically, hackers use these attacks on big businesses and organizations. They also use password spraying against users in a database leak, where the hacker has a large number of account names at their disposal but no passwords.

Any situation where a hacker has a wealth of accounts to go through, but only has a limited window to attack each one, is when password spraying becomes the preferred method of attack.

Hackers choose password spraying when accounts have a severe penalty for incorrect entries. If a hacker gains information about a website's accounts, but the website only allows five password attempts before it locks down the account, a hacker will use the top five most used passwords in hopes that people used them.

Are There Real Cases of Password Spraying?

In an ideal world, everyone within an organization will use a strong password to keep sprayers out. Unfortunately, hackers have had success in the past with the tactic, so much so that Redmond Mag reported on how password spraying saw an uptick of cases in 2018.

A lot of the attacks are focused on businesses, presumably to steal valuable business documents for profit. Organizations may also have a username structure that makes it easy for hackers to collect a list of names to attack.

Threatpost has reported on how software virtualization business Citrix was hit by a spraying attack after one of its accounts was compromised. The hackers made off with valuable business documents through the permissions uncovered in the account they accessed.

The scary part of this attack is how silent it was; due to the "low-down" nature of password spraying, it didn't trip any alarms or cause any concern. Citrix had no idea the attack had even happened until the FBI informed them long after the attack had come and gone.

How to Defend Against Password Spraying

Someone touching a digital lock to represent cybersecurity
Cybersecurity and information technology security services concept. Login or sign in internet concepts.

The solution to this attack is straightforward; use better passwords! Password spraying wholly depends on you using a password that's within the top 100-or-so list of most used passwords.

By making your password more complicated, you take yourself out of the pool of passwords that a sprayer will use against you. For a start, if your password is one of the worst passwords, be sure to change it immediately!

If you want to dig a little deeper, Password Random has a list of the top 10,000 most used passwords. There is some adult language within these passwords, so be careful where you read it!

What Makes a Good Password?

Now that we know what makes a weak password, what goes into a good one?

The problem with passwords is that the more complex they are, the stronger they are; however, the harder they are to remember.

The reason people resort to passwords like "password" or "12345" is that they're easy to remember and type. There are no capital letters or strange symbols in them, but those are what's needed to help beat a password sprayer attack.

Thankfully, there are ways to design a password that's both strong and memorable. If your password hygiene isn't up to par, be sure to read about how to create a strong password that you won't forget.

Protecting Yourself With Stronger Passwords

Password spraying is a significant problem for users and businesses who don't use strong passwords. Sometimes, all it takes is for one account to have a weak password, and hackers can use the leverage to do further damage within the system. Thankfully, by strengthening your passwords and using 2FA, you can defend yourself.

Unfortunately, password spraying is not the only tactic hackers use. Be sure to read about the most common tactics used to hack passwords to further tighten your security.

Image Credit: yekophotostudio/Depositphotos