5/9/2018
There are two common ways the bad guys might try to break into a building: spend lots of effort on one door or window, or try each door and window to see if one is easier to enter than the others. The same is true for attackers trying to compromise systems and networks (and penetration testers looking for weak authentication).
In the first case, they pick an account and try multiple strategies to compromise the account. This often includes trying multiple passwords, especially if the attacker has access to the password database. This can take a long time!
The other approach is to try common passwords on many or all accounts, hoping to find a weak one. This is the concept of "password spraying". If one account can be compromised, the attacker has a way into the system or network. The attacker's hope is that at least one account has a weak password. There are two ways to do that depending on whether or not the password database is available. Each relies on a list of common passwords. Some spraying tools check not only common passwords but ones based on username, company name, etc. Good ones try variations on the words including adding special character or two to address common policy requirements.
Lists of common passwords are readily available. An article at fortune.com discusses the SplashData list for 2017. (I'd normally link directly to the SplashData source, but some caution is in order: it seems at least one password on the list uses language "not suitable for work". Yes, there's a milder one in the Fortune article, too.) If you want a large list of over half a billion passwords you can download it from Have I Been Pwned. That is an awful lot, though, and they are not sorted by commonness.
If the attacker has access to the encrypted database, he or she can try common passwords against each account. This is really a form of a dictionary attack, and not the process usually referred to as password spraying.
Generally the term "password spraying" refers to trying the common passwords to multiple accounts on a system - ideally all of them - over a network. Many readers of this blog are probably thinking, "But there is account lockout!" right about now. There is, and avoiding that is part of the technique.
Account lockout is a mechanism designed to prevent password guessing attacks by disabling login for an account after a number of failed login attempts. For instance, after three failures, the account would be locked and the user could not get in. In the old days, the lockout was permanent and required a manual reset. That used lots of help desk resources, so now the lockout is commonly for a specific time, say thirty to sixty minutes. The number of failed attempts allowed is typically set between three and ten.
Tools for password spraying take lockout into account. They require some information about the lockout policy including how many authentication failures in what time period triggers a lockout. That way they can avoid being locked out during password checking attempts.
The seeming increase in the use of password spraying by attackers, along with the tools being readily available, should put another nail in the coffin of using passwords by themselves. Sites really need to be proactive and start using two-factor authentication (2FA). If you want to learn more about authentication, passwords, password alternatives, and two-factor authentication, check out Learning Tree's System and Network Security Introduction.
To your safe computing,
John McDermott
