How to Prevent Password Spraying Attacks
Bad cyber actors are what the kids these days would call “try hards.” They do everything they can think of to get into your accounts. One tactic is password spraying. In case you don’t know about it, this article gives the basics and shares strategies to prevent this type of attack.
You’re probably familiar with hackers trying many different password combinations with the username. Web security services know about this form of attack, too. That’s why you can get locked out of your site for trying the wrong password too many times.
This brings us to password spraying. The cyber criminals have found a way to get around the-three-tries-and-you’re-out-of-luck defense. Instead of one user and many passwords, they use one password with many different usernames.
Think how easy this could be. Your company database is online for people to contact your employees. The bad actor takes email@example.com, firstname.lastname@example.org, email@example.com, and so on, or they buy a list of usernames on the Dark web. Then, they try common passwords for every one of those individuals.
“Abc123,” “123456,” and … ugh … “password” are still frequently in use worldwide as passwords. So, it’s not that much of a stretch for a hacker to be able to get in with one of these common permutations.
The brute-force attack runs through a long list of users before trying the next “wrong” password. So, by the time it has finished going through the list of users with the password “abc123”, enough time has passed to avoid lockouts, and the hacker tries another password from the user list.
What to do about password spraying
The most obvious thing? Stop using any of the passwords that appear on the most commonly used worldwide lists! Do you think no one would still be using these obvious options? In 2021, there were more than 3.5 million reported uses of the “123456” password. “Password” came in second with 1.7 million reported uses. Both take less than a second to crack.
So, prefer more complicated passwords. This doesn’t have to mean that users add seven numbers, six symbols, and three capitalized letters. The National Institute of Standards and Technology (NIST) guidelines suggest length is more important. So, users can create longer yet easier-to-remember passwords.
IT administrators can also force users to change passwords at their first login to new applications. NIST further recommends checking every new password against a breached password list.
Multifactor authentication helps, as well. This requires the user to verify themselves with access credentials and extra authentication. This might be a code sent via text to a smartphone or could involve an authentication app such as Manage by MYKI .
It’s also a good idea to segment your networks so that users access only what they need to. Limiting user access can minimize the damage done if there is a breach.
Put password best practices in place