Password Spraying

What you need to know to manage the risk.

The problem started on your dog’s birthday. You posted a cute picture, a clever caption, and some confetti emoji, forgetting that Mr. Mighty’s name was part of your password at work. And your login for your bank. And your home WiFi.

What’s the risk? Password spraying, a cyber-attack strategy that attempts to access accounts (usernames) with a few commonly used passwords. Information that’s out in the world, like pet’s names, addresses, birthdays and anniversary dates, and other commonly-used password structures, or username-password combos that are stolen, can be used for brute-force attacks.

According to the FBI’s Internet Crime Report, complaints about such attacks were up 7 percent in 2021, while the Federal Trade Commission recorded over 5.7 million reports of Internet crimes, a quarter of which were for identity theft. Despite rising cybercrime rates, many businesses still haven’t taken the steps to implement strong security controls and authentication technologies.

Attacks like password spraying are constantly evolving and becoming even more difficult to detect. Increasingly these attacks are also having a larger impact on businesses, from suspending operations to leveling pricy ransoms. Learning more about common attacks can help you protect your business.

Password Spraying 101

Password spraying is a type of brute force attack where the bad actor attempts to gain access to accounts by using a list of commonly used passwords on a large number of usernames. The attacks take advantage of users’ bad password practices. The attacks have evolved to defeat lock-out security policies by attempting logins “low and slow” so as not to trigger detection.

The attack begins with a list of accounts to spray against. Since most businesses follow a convention for email addresses such as, it’s easy to create accounts and begin testing them with commonly-used passwords. Attackers try the most common passwords (see the list below) and scan through social profiles for birth dates, family names, favorite sports teams, pet names, and more. If the first attack isn’t successful, they wait and try the next password.

It only takes one right guess to gain access to business systems, cloud resources, and more. So, what should Main Street businesses like yours do to protect against password spraying?

Managing Access Risk

One of the best defensive moves small businesses can take is education. Making employees aware of schemes like password spraying will make them think twice before oversharing on social or using lazy password practices.

Three other mitigation strategies for small businesses are:

Complex password requirements

Create a policy where all email and system access passwords require a combination of letters, symbols, and numbers. Teaching password creation techniques can help employees remember these complex logins while password manager apps can keep track of work and personal passwords so users aren’t tempted to reuse common passwords for all accounts.

Multifactor Authentication (MFA)

Multifactor authentication (MFA) is a security technology that requires multiple methods of authentication from different categories of credentials to verify a user’s identity. Commonly a user logs in using their username and password and then is texted an authorization code to enter, or asked a security question, as verification.

In the cyber insurance space, MFA is often required to get a policy because it offers an extra layer of protection.

Passwordless Authentication

Passwordless authentication verifies users’ identities without the use of passwords or any other memorized secret. The type of systems use key-based authentication to enable the user’s credentials which are tied to a device, where the device uses a PIN or biometric lock.

Additionally, businesses should follow best practice security by:

  • Deactivating unused accounts
  • Reviewing permissions regularly
  • Encrypting passwords
  • Setting account lockout policies after a certain number of failed login attempts
  • Implementing CAPTCHA where lockout is not a viable option
  • Building a custom list of banned passwords

A Common Mistake: The most commonly used passwords

For several years running, the most common passwords used around the world include:

  1. 123456
  2. 123456789
  3. qwerty
  4. password
  5. 12345
  6. qwerty123
  7. 1q2w3e
  8. 12345678
  9. 11111123
  10. 1234567890