Password Spraying Still Effective

Donovan Blaylock II
August 13, 2019

Get the latest from the SecureAuth Blog

There are literally pages and pages of quotes and sayings collected from Chinese philosopher Confucius (circa 551-478 BC) after his death to start the philosophical doctrine known as Confucianism. “Don’t use a cannon to kill a mosquito” is one quote in particular that on face value cautions the reader to not over use resources to achieve a result. However, cybercriminals do exactly the opposite to gain access to valuable corporate information for the purposes of financial gain, or corporate reputation damage.

What Is Password Spraying

The cybercriminal equivalent of using a cannon to kill a mosquito is called “password spraying.” If you haven’t come across this hacker’s technique before, then let’s look to Infosec Institute for an explanation:

“Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password. We can use multiple iterations using a number of different passwords, but the number of passwords attempted is usually low when compared to the number of users attempted. This method avoids password lockouts, and it is often more effective at uncovering weak passwords than targeting specific users.”

So, clearly this is a brute force approach that relies on simplicity and a few critical shortcomings in an organization’s Identity Access Management strategy. The top four shortcomings include:

  1. Allowing users to create their own passwords without guidance
  2. Relying on simple username/password authentication
  3. Allowing full root or admin access to anyone
  4. Assuming users understand cyber security issues to the point where they won’t do anything to make themselves or the company vulnerable

By not enforcing rigid password rules (i.e. 3 upper case alpha, 3 lowercase alpha, 3 numeric and 3 special characters) or adding some form of two-factor or multifactor authentication, you run the risk of being susceptible to password spraying techniques.

Password Spraying Strikes Again

Back in May,2018 Redmond Magazine reported:

“According to information derived from FBI investigations, malicious cyber actors are increasingly using a style of brute force attack known as password spraying against organizations in the United States and abroad,” the agencies declared in a US-CERT technical alert issued Tuesday evening.

Prompting the alert was the disclosurelast Friday of a federal indictment against nine Iranian nationals associated with the Mabna Institute, a private Iran-based company accused of hacking on behalf of the Iranian state. The main focus of that indictment was a massive, four-year spear-phishing campaign to steal credentials from thousands of university professors whose publications could allegedly advance Iranian research interests.”

But despite these warnings, the latest high-profile breach that was successfully accomplished with password spraying was documented by cyberscoop:

“The hackers who breached corporate VPN service provider Citrix last year used an unsophisticated technique that throws commonly used, weak passwords at a system until one works, the company’s investigators has confirmed.

The “password spraying” ploy allowed the hackers to steal business files from a Citrix network drive along with a drive linked with its consulting practice, Citrix President David Henshall wrote in a blog post last week. The attackers had access to the drives for a “limited number of days,” between October 2018 and March 2019, he said.”

The easiest way to protect against password spraying is to just address the four shortcomings listed above or adopt a more aggressive offensive posture for your identity authentication strategy.

The Best Defense Is A Strong Offense

By eliminating the need for passwords altogether, you create an offensive strategy that precludes password spraying techniques. Acceptto was the first to understand, develop and deliver continuous and behavioral authentication. Our company was built on the foundation that the only way to ensure digital credentials are being used only by the person who those credentials represent and not some imposter or someone hijacking a device correctly authenticated by that person.

Acceptto’s eGuardian engine continuously creates, and monitors user behavior profiles based on the user interaction with the It’sMe authenticator. Every time an activity occurs, actionable intelligence is gathered and used to optimize the user profile. eGuardian is capable of autonomously and continually learning new policies and adapting existing ones. While policies can still be manually defined and contribute to the computation, our Biobehavioral AIML approach automatically finds the optimal policy for each transaction. eGuardian leverages a mixture of AI & ML, expert systems and SMEs to classify, detect, and model behavior, and assign real-time risk scores to continuously validate your identity prior to, during and post-authentication.

Download the Intellyx’s whitepaper titled  App Authentication Evolves in a World of Compromised Credentials today and then check out what Acceptto can do to ensure your employees, partners and customers can authenticate without passwords and still ensure security and privacy registering for a free demo today.


Related Stories

Pin It on Pinterest

Share This