Protecting yourself against password spraying

Password Spraying hits Citrix

Today Citrix announced that it has concluded its investigation into a cyber security incident where cyber criminals were able to gain access to their internal network and exfiltrate confidential company information. Citrix CEO, David Henshall, outlines the incident and the company’s response in his blog.

Interestingly, the investigation found that the incident started with a “Password Spray” attack. So what is password spraying and how can you protect yourself against this method of attack?

Password Spraying Targets

Password spraying is an opportunistic method of attack that takes commonly used passwords and tries to use them to access a large number of accounts. The vast majority of attempts will fail, but a successful attack will eventually stumble across an account with a weak password. Once the account credentials have been compromised the attacker will expand their attack to other systems.

Cloud-based services, such as email, are the primary target for password spraying since these services are typically accessible from anywhere 24/7.

How Password Spray Attacks Avoid Detection

Brute force and dictionary-based password attacks are not effective for cloud-based systems because they try to compromise one account at a time using a large list of passwords. The high volume of failed logins within a short period is easy to detect and can trigger automatic protection of the account being attacked. Protection mechanisms, such as blocking IP addresses or locking accounts limits the effectiveness of these attacks.

Conversely, password spraying works by using a relatively small number of commonly used passwords (e.g. ‘password123’) to access a large number of accounts. If a login attempt is unsuccessful, the attack moves on to the next account and tries the password again.

With password spraying, each failed attempt looks just like the user mistyped their password once, so no alarms are raised. The account may be attacked again at a later stage using another password, but the time between attempts is long enough to avoid detection.

How to mitigate the risk in your organisation

Here are some of the best options to minimise the possibility of your organisation becoming the victim of a password spray attack:

  • Audit your user accounts against a password blacklist regularly to ensure that weak passwords are quickly identified.

  • Provide users with a password manager to randomly generate and store unique passwords for different systems.

  • Enforce a password blacklist to prevent users from using known weak passwords.

  • Enable multi-factor authentication on all systems that can be authenticated over the internet.

Getting Help

Magnitude 8 can help you assess the risk of password sprays, and other cyber security attacks, to your organisation. Be sure to get contact us for advice and assistance to protect yourself against cyber attacks.


Domenic has consulted to Australian businesses of all sizes for over 20 years, delivering end-to-end IT solutions.  He has expertise in Information Security, Remote Access and Desktop Management, in addition to traditional cloud and on-premises infrastructure solutions.