Proton

What is a password spraying attack?

Password spraying attacks pose a major risk to individuals and organizations as a method to breach network security by trying commonly used passwords across numerous accounts.

This article explores password spraying attacks, explaining their methods and potential harm. It also highlights key methods to strengthen your protection against these threats.

What is password spraying?
How a password spraying attack works
How to prevent password spraying attacks
How Proton Pass can help

What is password spraying?

Password spraying is a type of brute-force attack(new window) where a cybercriminal tries one password on multiple usernames or email addresses, then tries another password, and continues this process. It takes a different approach from traditional brute-force attacks that test multiple passwords against a single username or email address.

The goal of a password spraying attack is to find a weak security link without drawing attention to itself. It does so by balancing efficiency and stealth: selecting likely passwords and using automated tools to test them while avoiding rapid, repeated login attempts that could trigger security alerts.

Microsoft experienced a password spraying attack(new window) on corporate email accounts in January 2024.

How a password spraying attack works

Here’s how a cybercriminal carries out a password spraying attack:

1. Collecting usernames

The attacker gets started by gathering a list of usernames, email addresses, or other identifiers for the accounts associated with the targeted organization or service. These can be obtained through various means, such as phishing campaigns(new window), data breaches, social engineering, or scraping public information from the web.

Many organizations follow a specific format for their employees’ email addresses, such as firstname.lastname@example.com. An individual could use LinkedIn to get the email address of a single employee, deduce its structure, cross-reference it with a list of employee names on the company’s website, and use this data to create a database of employee email addresses.

2. Selecting passwords

Once the list of usernames or email addresses is ready, the cybercriminal selects a set of common passwords to use in the attack. Typically, these passwords are as simple or predictable as Password1, p@ssw0rd, Qwerty123, 1q2w3e or Q2w3e4r5t.

Depending on the sophistication of the attack, the passwords may be a bit more elaborate. They might resonate with local culture, significant landmarks, or common national symbols, like Boston2024 or Microsoft123 or state-specific references like Yellowstone for a company from Wyoming.

3. Using automated spraying tools

Automated tools, such as MSOLSpray(new window), are capable of entering usernames and passwords into login forms, managing sessions, and detecting successful or unsuccessful login attempts.

4. Gaining access

Any successful login attempt indicates that the attacker has found a correct username and password combination for at least one account within the targeted organization.

At this point, the automated spraying tool may continue its efforts to access additional accounts. Meanwhile, the cybercriminal can explore the breached account and use it for various malicious purposes, such as data theft, credential stuffing, spreading malware, creating phishing campaigns, or deploying ransomware(new window) across the network.

For example, an attacker could send emails with malicious attachments or links to the victim’s contacts, exploiting the trust between them. If the compromised account belongs to an administrator, malware could be directly installed on network systems, compromising the entire company.

How to prevent password spraying attacks

To strengthen your protection against password spraying attacks and enhance your online security, follow these essential practices:

Use strong passwords

Since password spraying attacks rely on common and simple passwords, the best way to evade them is by always using secure passwords(new window) that are difficult to guess, even in the event of a standard brute-force attack. The more complex the password, the longer it will take the attacker to discover it.

A random password over 12 characters with a mix of letters, numbers, and symbols is functionally impossible to crack. Good examples of secure passwords are h*0ce24]$>9C and #?reue3&6TS^qxFHQa2=. A passphrase(new window) can also be secure and useful for any passwords you must remember.

Never reuse passwords

Never reuse passwords. Otherwise, in case of a successful password spraying attack, the cybercriminal will be able to log in to all your accounts using the same password (credential stuffing(new window)), leading to a domino effect of breaches.

Use a password manager

Remembering a bunch of long passwords made from gibberish can be overwhelming, leading to password fatigue(new window). Moreover, writing down passwords on paper or storing them in a local text file can easily jeopardize your security.

The best solution is to turn to a secure password manager that keeps track of all your passwords, automatically fills them in so you don’t have to, and encourages password uniqueness.

Enable two-factor authentication

Two-factor authentication (2FA)(new window) adds an extra layer of security to your account by requiring two or more verification methods to log in to an account: something you know (a password), something you have (a security token or a mobile device), or something you are (biometric validation).

With 2FA enabled, even if the cybercriminal guesses the password associated with your account, they will not be able to pass the subsequent verification factors. Moreover, receiving an unexpected 2FA request can serve as an immediate alert that someone is attempting to access your account. Next, you can take prompt action, such as changing your compromised password.

Use passkeys

Passkeys(new window) can protect you from password spraying and other types of brute-force attacks by replacing traditional passwords and two-factor authentication methods with cryptographic keys and biometric data or hardware tokens. When using a passkey, there’s no password for attackers to guess. It also ensures unique credentials for each service, making it significantly more secure than traditional password-based authentication.

Use alias email addresses

Using email aliases(new window) is a strategic way to protect against password spraying attacks. They limit the exposure of your real email addresses on the internet, reducing the chance for attackers to discover and use them for malicious activities.

Alias email addresses are ideal for one-time events, like registering to download a free PDF or joining a forum. However, if you need to receive important follow-up emails, you’ll need a service like Proton Pass that forwards messages from your alias email address to your real one while keeping your real email address private.

How Proton Pass can help

Proton Pass is a password manager with a robust suite of features for countering password spraying attacks. In addition to remembering all your passwords, Proton Pass has a built-in random password generator, a 2FA authenticator, and hide-my-email aliases to generate random email addresses and forward messages to your main inbox. It also features passkeys(new window).

Everything is secure within your Proton account, which supports end-to-end encryption(new window) — only you have access to your data. Even if attackers breach Proton’s server-side defenses, they cannot decrypt your information, so your credentials remain safe.

Take the first step toward protecting your accounts from password spraying attacks by creating a free Proton Pass account today.

Protect your passwords
Create a free account

Related articles

A cover image for a blog describing the next six months of Proton Pass development which shows a laptop screen with a Gantt chart
Take a look at the upcoming features and improvements coming to Proton Pass over the next several months.
The Danish mermaid and the Dutch parliament building behind a politician and an unlocked phone
We searched the dark web for Danish, Dutch, and Luxembourgish politicians’ official email addresses. In Denmark, over 40% had been exposed.
Infostealers: What they are, how they work, and how to protect yourself
Discover insights about what infostealers are, where your stolen information goes, and ways to protect yourself.
Mockup of the Proton Pass app and text that reads "Pass Lifetime: Pay once, access forever"
Learn more about our exclusive Pass + SimpleLogin Lifetime offer. Pay once and enjoy premium password manager features for life.
A cover image for a blog announcing that Pass Plus will now include premium SimpleLogin features
We're changing the price of new Pass Plus subscriptions, which now includes access to SimpleLogin premium features.
Infinity symbol in purple with the words "Call for submissions" and "Proton Lifetime Fundraiser 7th Edition"
It’s time to choose the organizations we should support for the 2024 edition of our annual charity fundraiser.