Don’t Get Hosed by Password Spray Attacks

Don't Get Hosed by Password Spray AttacksWhat’s a Password Spray Attack?

A password spray doesn’t look like a traditional attempt to brute force an individual’s password. Instead, attackers go wide, attempting a login for as many users as possible using an (unfortunately) very common password like “P@$$w0rd” or “123456.”  

It neatly circumvents most detection techniques—after all, from the point of view of the company, the attack just looks like a single failed login. Even a few users with common, insecure passwords open the organization to further attack. 

Password spray attacks are steadily growing more frequent as attackers adapt to the newest security policies and tools. In the great cycle of security, we all must in turn adapt, improving our security practices to counter these attacks. 

To that end, Microsoft recently released a post detailing their best practices for defending against password spray attacks in Azure AD and ADFS (Active Directory Federation Services). They point to four main areas where improvements in password policy or security practices can be made to deny password spray attacks. 

How to Fight a Hoser

Firstly, they recommend authenticating users in the cloud as much as possible, leaning on Microsoft’s Big Data-based security algorithms to detect and block attacks as they occur. They also point to the recently-released Attack Simulator for Office 365 Threat Intelligence to ascertain your organization’s vulnerabilities to specific attack styles. 

Setting up multi-factor authentication is another major way to stymie attackers. Microsoft strongly pushes enabling always-on multi-factor for admins, but that’s not the only option for other users. Risk-based multi-factor authentication asks users for additional information based on suspicious behavior, and Azure MFA can be used as a password-less form of authentication. 

In their discussion, Microsoft also pushes for better password health in general. Azure AD actively bans common, vulnerable passwords and the ability to customize an organization’s on-premise banned password list is functionality promised sometime this spring. Microsoft also favors several password practices that run counter to commonly held wisdom, including relaxing restrictions on password length and required character types, as well as tossing out password expirations altogether. 

Their last set of recommendations applies only to hybrid environments authenticating with ADFS and Active Directory. These include upgrading to ADFS 2016 when possible, blocking legacy authentication methods, and implementing password-less methods of authentication. 

Microsoft initially framed the post around the defense against password spray attacks, but the policies described are actually quite good for security in general. If you want to add to that and get the best way to securely and efficiently manage users on premise and in the cloud, check out Cayosoft Administrator.

Microsoft’s full post can be read here. 

Check out these relevant resources.

New Survey Finds...

Active Directory forest recovery not taken serious enough. See what else your peers had to say.