Password Spraying is a New Type of Brute Force Attack

Password spraying is a new password exploit that is being used effectively against larger networks.  It’s become enough of a problem to merit an alert from US-CERT entitled TA18-086A: Brute Force Attacks Conducted by Cyber ActorsHere’s how it works.

Typically, in a traditional brute-force password attack, the password cracking software runs a long list of every possible password against a system.  In defense, we have countered by setting up limits and lockouts after a certain number of failed login attempts.  So after five wrong guesses, the system will not accept further login attempts for 30 minutes or an hour.  This has worked pretty well at blunting or at least slowing the effectiveness of the brute force attack.

With password spraying, the attacker cycles each password guessing attempt at each system in the network, returning after an interval to try each subsequent guess in turn on each machine again.  So instead of trying 100 passwords against a single machine, it tries one password against 100 machines, and then starts over with password two.  Rinse and repeat.

  • This exploit relies on Google search, Linkedin, and social engineering to develop a list or users in the target organization. Sometimes the attacker will export the Global Account List from an email client.
  • It also exploits human predictability elements like easy to guess passwords.  Especially passwords that are know to be more likely in a corporate environment, like the passwords “May2018! or “P@ssword123”.
  • More common in single sign-on (SSO) and authentication federation environments, often without two-factor authentication.
  • Attackers also prefer environments where users are permitted to set-up email forwarding.

There are signs that your company may be targeted.

  • There will be a huge increase in failed login attempts, across a wide selection of users, for periods of up to an hour, often from a single IP address.
  • There may also be an increase in successful employee logins from IP addresses and geographic locations that would be  unusual for employees.

This activity can result in distruption to operations, loss of proprietary information or PII, financial losses to to mitigation costs or actions directly attributable to the attack, such as wire transfer fraud.

Solutions include:

  • setting up two-factor or multi-factor authentication,
  • increasing the length and strength of passwords,
  • and reviewing policies and settings for password lockouts, decreasing the number of allowed failures and increasing the lockout duration.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.