Password Spraying

We all hear on a regular basis the importance of having a strong and secure password. Nobody wants an attacker to be able to easily guess what their password is. But how important is it that everyone in your organisation has a strong password?

Let’s first look at how Cyber Criminals ‘guess’ passwords. One way of doing this is to use a brute force attack. The criminal will pick a target user and try as many password combinations as possible in order to find the right one. Many companies and organisations now implement a ‘lock out’ policy. This means that if an incorrect password is entered a set number of times then the account will be locked until the password is reset. This certainly helps to thwart the attackers as if they cannot guess the correct password within the set limit then they will need to move on to the next target.

So, is a lock out policy the best way to prevent unauthorised access to accounts on your network? It definitely helps but it is not a silver bullet that will keep your network safe.

What is becoming a more common method by attackers is called ‘password spraying’. This is a technique where the attacker will try common passwords against a number of user accounts. The hope is that at least one of the users will be using a weak password. Take the below as an example:

The attacker will try the same password against all the users and it will just look like each user has attempted to log in and entered the incorrect password. The attacker may then wait a period of time before moving on to the second common password. This is in the hope that the real user will log in and clear the failed log in attempt.

99% of the users on a network can have a good, long, complex password, but if one person has a weak easily guessed password then the attacker has access to your network. Attackers have long lists of commonly used passwords that can help in this type of attack. They also use customised dictionaries with commonly used combinations of words with symbols substituted for letters. I have even heard stories of attackers using word lists that contain commonly used local dialect words. Imagine for a minute that when a new user is set up or when someone forgets their password the IT department use a standard one-time password that needs to be changed at first login. What if an attacker knew this standard one-time password. They could run an attack similar to this hoping to find that one account that has not yet had the password changed. Sure, some luck and good timing might be involved for the attacker but in a particularly large organisation it won’t be long before they hit the jackpot.

The National Cyber Security Centre conducted a research to assess vulnerable passwords. ( This study revealed that 75% of the participating organisations had users who used passwords that featured in the top 1,000 most common passwords and 85% had passwords that were in the top 10,000 most common passwords. This data suggests that a persistent attacker would have some success against the majority of these organisations.

It is vital that everyone in an organisation understands the importance of using strong passwords for all of their accounts.

Chief Ethical Hacker Gerry Grant

For more information and advice please email

Useful Links
Site Information
Follow Us
Contact Us

A division of the Scottish Business Resilience Centre

Oracle, Blackness Road

Springfield, Linlithgow

EH49 7LR

  • Twitter - White Circle
  • LinkedIn - White Circle
  • Facebook - White Circle
  • Spotify - White Circle
  • YouTube - White Circle

© Curious Frank 2019