Skip to main content

Back to Blog

Password Spraying and Credential Stuffing: Developing Active Defense

Microsoft Active Directory (AD) is ubiquitous across the corporate landscape; you probably use it to authorize access at almost every level. Due to its popularity and importance, AD is a perfect target for cyber attacks.

Hackers frequently use password spraying and credential stuffing as attack methods, especially against AD. With many traditional password ‘best practices’ being outdated, are you prepared to take an active stance of defense? 

Attack Methods 

Whether we look at offline or online attacks, hackers have honed their craft with techniques that are better than brute force with three steps. First, they identify the set of candidate passwords for the targeted accounts. Second, they determine the lockout policy which governs the rate at which to guess passwords. Third, they determine the existing password policy, to help tailor their attack. 

One rudimentary technique that attackers have developed that follows the patterns above is called Password Spraying. In this attack method, a hacker would identify a small number of common passwords and try them against a large number of accounts. During this attack, hackers want to stay below the lock-out radar. If they know, they can dial back the guessing rate so they stay undetected, and not trigger an account lock-out. 

Credential Stuffing is another way that hackers have recently been testing the effectiveness of corporate security. This method leverages the unfortunate reality of cybersecurity that individuals tend to reuse their same favorite password across systems, and across the consumer/personal and business/professional barriers. Credential stuffing involves utilizing a large list of username and password combinations (usually taken from a previous breach) and ‘stuffing’ them into other login forms. 

So What?

While these attack methods are major threats in and of themselves, the other more basic problem is that personal passwords are getting reused on employee accounts, which are often linkable to the company Active Directory. A study by Microsoft found that 73% of users duplicate their passwords on both personal and work accounts. 

Even if your employees don’t duplicate their passwords character-for-character, they often make very small changes. Such reuse opens up a very substantial risk to your company even if you think you have good password policies at the moment. 

The Solution: Active Credential Stuffing Defense!

Once you can stomach the fact that many long-held beliefs about password policies have been shown to do more harm than good, you can move forward in developing new policies. One useful set of guidelines comes from the National Institute of Standard and Technology (NIST).  

The most recent NIST guidelines are desirable to users and companies alike because they increase security, improve usability for employees, and benefit your company budget. The NIST guidelines specify that users’ passwords should be compared against commonly used and compromised passwords, but you also need to be able to detect and respond to newly compromised passwords. 

Enzoic has architected a pattern of credential stuffing defense in AD for both situations.

Enzioic for Active Directory screens passwords while they are being created, regardless of where they are being created, in real-time. This allows you to monitor for passwords that have already been compromised and keep them out of your network. 

You also want to defend against passwords that become vulnerable while in use—i.e., if they are stolen. Enzoic follows the same process of checking those passwords, daily, against updated blacklists. They stay on top of data breaches and cracking dictionaries to collect credentials because as soon as one of the passwords is found on any breach, you need a method to be able to get it out of AD. 

If an in-use password does become compromised, Enzoic can help your department set up for the next steps. You can force a password change, delay access to the account, notify the affected user and administrative team, or proceed to handle it in whichever way you like. 

Enzoic is changing the standard of security within the industry marketplace. Blacklists need to be continuously updated with exposed passwords, cracking dictionaries, and data braces of all sizes. While you could find a blacklist of some kind and length anywhere on the internet, Enzoic’s database is extensive, tailor-able, and updated multiple times a day by proprietary technology as well as with the help of cybersecurity professionals. 

For more details on protecting Active Directory, read the E-Book for IT Professionals, “Prevent Password Reuse and Harvested Password Attacks”.