Blog post

Spray you, spray me: defending against password spraying attacks

Created:  15 May 2018
Updated:  15 May 2018
Author:  Andy P
Water sprinkler

One common way that online accounts are breached is through password spraying, whereby lists of a small number of common passwords are used to brute force large numbers of accounts. These attacks are successful because for any given large set of users there will likely be some who are using very common passwords, and these attacks can slip under the radar of protective monitoring which only look at each account in isolation.

To understand how much of a problem this is, the NCSC recently conducted a research study which allowed participating organisations to assess how vulnerable they would be to a password spraying attack. The PowerShell script we used to collect data is still available to download for your own use if needed, but since the study is now over we can't provide support. From the study we found:

  • 75% of the participants’ organisations had accounts with passwords that featured in the top 1,000 passwords
  • 87% had accounts with passwords that featured in the top 10,000

This data suggests that password spraying attacks are likely to have some success against these organisations, and many other organisations across the UK. Whilst account lockout policies may limit attackers to trying (for example) 10 passwords against a single account per day, the account lockout counters usually reset over time. This allows persistent attackers to try more passwords, and they can (and do) end up trying hundreds or even thousands of common passwords.

Because of this, one of the questions the NCSC frequently get asked is how to mitigate password spraying attacks. High password complexity doesn’t guarantee that passwords will be more difficult for attackers to break, but it usually does make them harder for users to remember - thus driving weaker passwords and more password reuse overall. So instead, we often encourage users to disable complexity requirements and adopt other strategies such as three random words. However, this means that the onus is now even more on users to pick 'good' passwords (that is, passwords that cannot easily be guessed), and network administrators ostensibly have very limited defence against password spraying attacks.

Fortunately, there are actually a variety of approaches organisations can take to mitigate these attacks, and the number of available options is growing regularly. As a starting point, we recommend making sure that you do some of the following:

  • configure protective monitoring over externally-reachable authentication endpoints to look for password spraying attacks (some ideas are given in the password guidance);
  • deploy alternatives to passwords where possible (examples can be found in our recently published case studies)
  • enforce multi-factor authentication on your externally-reachable authentication endpoints
  • provide pragmatic advice to users on how to choose 'good' passwords
  • regularly audit user passwords against common password lists, using free or commercial tools (or the NCSC PowerShell script)

One of the most effective approaches to stopping these attacks is to prevent users from using common passwords in the first place. Over the last few months, we’ve been talking to several developers of software that uses passwords, and asking them to think about how to prevent their users from setting common ones. Some plan to use something like Troy Hunt’s HIBP service to prevent common passwords, or have user-configurable blacklists in their products (or support third party software that does the same).

Many of our customers use Microsoft technologies for user authentication. The good news here is that they've announced a variety of mitigations for password spraying attacks. I’d encourage all admins of hybrid or cloud-only Azure AD networks to have a look at these mitigations and employ them where possible.

However, not all authentication services will provide mitigations for password spraying attacks. If you come across such products, please do suggest to their developers that they should include such mitigations, and point them at this blog if you think it would help. Commercial third party products might help you in the interim. And of course, if your products do have these mitigations, turn them on and monitor your logs!

 

Andy P

EUD Security Research Lead

5 comments

Andy Burns - 16 May 2018
How was the list of the "Top 1,000/10,000" arrived at? I took a look, and I might have expected more film/tv references (what, no Harry Potter?), and "Baseball" and "Chicago" are surprising entries for a UK-centric list.

Also, I'd recommend ZXCVBN as a good password strength estimation tool - https://github.com/dropbox/zxcvbn - It seems to be better than most for indicating the entropy of a password.

And Troy Hunt's api.pwnedpasswords.com is awesome; I can't think of a reason why you wouldn't use this.
Andy P - 17 May 2018
We used a fairly generic “Top N” password list for our study, and whilst cultural differences may affect some of the statistics, I believe our conclusions are still sound.

You never know which password list your attacker is going to use after all. Nonetheless, you’re right that if you want to use these types of tools to prevent password spraying attacks, you should also look to include custom password lists that are relevant to your organisation and your users.

Fortunately, most tools that support blacklisting (including our script) also support maintaining a custom blacklist which you can use for this purpose.
Danny Harrison - 29 May 2018
Hi Andy, I work for the DWP and keen to get your views on a project I am working on for the department 'Cloud First'. What's the best process to get your contact details ?
Andy P - 30 May 2018
Hi Danny,

If you use the Contact Us form on the website and mention my name it will be sent on to me. I will let the team know to expect something from you.
David W - 05 Jun 2018
While agreeing with the premise that password policies shouldn't encourage weak password selection, I couldn't help noticing that a policy requiring 8 characters and standard Windows complexity would eliminate the vast majority of the top 1000 passwords in your list.

Removing password expiry so users know its worth their time to remember a strong password is very beneficial however.

While password blacklists are a great idea, WIndows does not offer that as a standard feature, and web developers I have worked with have acted as if I was asking the earth when asked to incorporate them, resulting in product owners prioritising features and blacklists not even making it to the backlog.

Therefore its good to see you highlighting products such as Azure where its been built in.

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No