A diferencia de los ataques de fuerza bruta tradicionales, donde se prueban diversas combinaciones de contraseñas para un solo usuario, el password spraying se basa en intentar contraseñas habituales en múltiples cuentas a la vez. Esta estrategia ayuda a los atacantes a evitar los bloqueos automáticos de cuentas, ya que no se realizan demasiados intentos fallidos en una única cuenta.
¿Cómo Opera el Password Spraying?
En un ataque de este tipo, los ciberdelincuentes suelen comenzar recopilando cuentas de usuario válidos, como podrían ser correos electrónicos (algo que, en tiempos de redes sociales y perfiles públicos, es relativamente sencillo). Luego, seleccionan un número muy reducido de contraseñas y las prueban en todas las cuentas, pero de manera limitada, para no activar sistemas de bloqueo por múltiples fallos consecutivos.
Estas contraseñas pueden salir de listados conocidos de contraseñas, o de un trabajo de investigación sobre el objetivo.
The Weak Password Vulnerability
This type of attack is effective mainly because many people still use simple or predictable passwords. Despite the obvious risks, a large percentage of users still opt for easy-to-remember passwords, which makes it easier for attackers. Moreover, password management is often seen as complex and incompatible with day-to-day life, even though there are valid options for password management.
How to avoid this type of attack
The advice and measures to take are similar for most cases where passwords are involved:
- Secure password policies. There are three very important points to bear in mind here: use passwords with a minimum of complexity that include letters, numbers and symbols, change them periodically to reduce the risk of them being guessed, and avoid repeating the same password on different platforms. Be aware that each cyber-attack on large companies exposes data, including passwords.
- Multi-factor authentication (MFA). Enabling a second authentication method on all platforms that allow it is an additional barrier against this type of attack. If an attacker gets hold of a password, he would still need a second factor, such as a code sent by text message, to gain access to systems.
- Systems security. The implementation of measures such as monitoring of access attempts or limits on failed attempts are indispensable in organisations, and must be accompanied by automatic responses that minimise the impact of these attacks.
Password spraying is another of the many existing attacks and serves as a reminder that cybercriminals are always looking for new ways to evade system security measures, which is especially critical in organisations that do not take the necessary precautions.
Weak passwords and the lack of additional security measures, such as multi-factor authentication, leave many companies exposed to risks that could be easily remedied. Fostering a cyber-resilient culture within organisations is therefore crucial to address the major challenges faced in this area.
Microsoft (2020, 23 Abril) “Protecting your organization against password spray attacks”. https://www.microsoft.com/en-us/security/blog/2020/04/23/protecting-org…
Crowdstrike “Password Spraying” (2022, 27 Julio) https://www.crowdstrike.com/cybersecurity-101/password-spraying/
OWASP “Password Spraying Attack” (2021, 30 Abril) https://owasp.org/www-community/attacks/Password_Spraying_Attack