What is Password Spraying & Why You Should Care

Passwords have been with us for a very long time, in fact, the computer password recently celebrated its 60th birthday, since its beginning in an MIT lab in the fall of 1961.

As we approach 2022, it is estimated that there are well over 300 billion passwords in use worldwide and almost everyone knows the basics of good password security – right?

Well maybe, maybe not, the evidence would say not, the statistics remain shocking.

Here’s just one example; Did you know that more than 23,000,000 account-holders in the UK alone use the password “123456”!

What is Password Spraying

I picked that statistic, not only because it clearly highlights how big an issue bad password security remains, but also because Forbes recently reported on a rapidly rising cyberattack type that very much relates to that statistic specifically.

That attack type is Password Spraying. So, what exactly is it?

The easiest way to explain password spraying is to compare it to a much better-known password attack type, the “Brute Force” attack.

A “brute force” attack targets a small number of accounts with a substantial volume of 'password guesses’ and is the reason why a longer password is a stronger password - it takes much (much, much) longer to cycle through every password combination for 12 characters than it does for 6 characters.

“Password Spraying” though flips this on its head and targets a huge number of accounts with a small number of “password guesses” – and as you might expect, those “guesses” are the passwords that are most used – such as our friend “123456”.

Protect yourself from Password Spraying attacks

This is a simple one – avoid those commonly used, simple passwords that are the punchlines in a million cyber security memes.

Here’s a list of the 10 most used passwords in 2021 – seriously, if you have an account anywhere that uses one of these – change it now!

• 123456
• 123456789
• qwerty
• password
• 12345
• qwerty123
• 1q2w3e
• 12345678
• 111111
• 1234567890

It really is that simple.

So, if “123456” is out, what should I use instead?

Password spraying is not the only reason to use “strong” passwords – but it is a good one all the same.

To create a “strong” password, simply follow this simple guide.

• Longer = stronger: Make your passwords at least 8 characters long, preferably even longer.
• Complexity: Your passwords should contain at least 1 uppercase, lowercase, numerical and special character.

There are other tricks, such as using a passphrase, but as long as you follow these 2 simple steps your passwords will be drastically more difficult to crack and won’t typically be included in the “guesses” used in Password Spraying type attacks.

Even better, where possible, secure your important passwords with further authentication methods, such as 2-factor authentication or biometrics, such as facial recognition, fingerprint scanning, or retinal scanning.

While much of this information may seem obvious to many, the statistics year-on-year show that it's still as relevant as it ever was.

Are you looking at cybersecurity for your organisation?

If you would like to know more about IT managed services that can drastically reduce your cybersecurity risk, get in touch with us.

• Visit our website
• Call us on 01675 466637
• Email us at [email protected]

About the author...

Julian has 2 decades of experience working as a technical sales lead for IT Managed Service Providers (MSPs) and as a Cyber Security Consultant. In a previous life he was a musical artist & a club DJ, but he can barely remember it.