Passwords are the most widely criticised security control and the most widely relied upon one. Despite years of recommendations towards multi-factor authentication, passwordless approaches, and stronger credential policies, username and password combinations remain the primary authentication mechanism for the majority of enterprise systems. When those credentials are weak, the consequences are predictable.
Credential-based attacks are not sophisticated. They do not require zero-day exploits, advanced tooling, or deep technical skill. They require a list of common passwords, a list of valid usernames, and an authentication endpoint to test against. The attack succeeds when the organisation has not made it expensive enough to attempt.
Password Spray Attacks
Password spray avoids account lockout by attempting a small number of passwords across a large number of accounts. Lockout policies that trigger after three to five failed attempts for a single account are bypassed by trying only one or two passwords per account. With a list of ten thousand domain user accounts and a password of Summer2024!, the attack will succeed against some proportion of accounts in almost every environment.
The attack scales with the number of accounts in scope. A large organisation with thousands of user accounts gives the attacker more opportunities. Accounts belonging to users who have not logged in recently, contractor accounts, and service accounts are less likely to have strong passwords and less likely to be monitored actively.
Credential Stuffing
Credential stuffing uses username and password pairs from previous data breaches. Breach databases containing hundreds of millions of credentials are available to attackers. When users reuse passwords across personal and corporate accounts, a breach of a personal service exposes corporate systems to the same credentials.
Internal network penetration testing includes password policy review and, where agreed in scope, password auditing against the domain’s password hashes. This quickly identifies accounts with trivially weak passwords, default credentials, and passwords that match patterns common in spray attacks.
Why Complexity Requirements Alone Are Not Enough
Password complexity requirements that mandate uppercase, lowercase, numbers, and symbols lead users to predictable patterns: Summer2024!, Password1!, and Company123! all meet typical complexity requirements and all appear regularly in credential spray targets. Complexity without length is insufficient.
Long passphrases are more resistant to both brute force and spray attacks than short complex passwords. A policy that requires fifteen or more characters with complexity requirements produces credentials that are harder to crack and, with a password manager, are no harder for users to manage than shorter passwords.
Expert Commentary
William Fieldhouse, Director of Aardwolf Security Ltd
“Password spray attacks work because most organisations have at least some accounts with predictable credentials, and default lockout policies allow enough attempts to succeed before triggering protection. We run password spray simulations as a standard part of internal assessments and the success rate is higher than clients expect.”
Detection and Response
External network penetration testing of externally accessible authentication endpoints, VPNs, email portals, and web applications tests whether password spray attempts trigger detection and lockout. Many organisations discover that their external authentication endpoints have no monitoring for spray patterns.
Monitoring authentication logs for low-and-slow spray patterns, multiple accounts failing authentication from the same IP address, and geographically implausible login attempts provides early warning. Alerting on these patterns gives the security team an opportunity to respond before a successful authentication results in a breach.