Technological advancements have tightened the race between hackers and those trying to prevent these cyberattacks. This has led hackers to try new techniques in the hope of success. One such strategy is password spraying, which has of late become a more common practice to gain unauthorized access to computer systems. In fact, Verizon’s 2020 Data Breach Report states that 80 percent of all hacking incidents involve brute-force methods like password spraying.
This is why we will be talking in-depth about what a password spraying attack is and how you can avoid it.
What is a password spraying attack?
Password spraying attacks are a category of brute-force attacks.
Typically, in a brute-force attack, a hacker tries to gain access to a specific user’s account by trying many password combinations in a short time. Over the last few years, organizations have devised ways to thwart such brute attacks. A common solution is to lock an account after three to five unsuccessful password attempts.
To circumvent this restriction, hackers try the same password across different user accounts, hoping for a weak or compromised password.
For example, the “test1234” password is used across thousands of records in an organization, as there is a chance that one employee can use such a weak password. If it works, the hacker gains access to the system.
But even if it doesn’t, there are no alarm bells or notifications because it doesn’t trigger the conditions for an account lockout. If this password doesn’t work across all the accounts, a different password is tried after some time in the hope that it will give access to the system.
This attack is often used in single sign-on and cloud-based services and applications that depend on federated logins.
Choosing a password
Now you may wonder how hackers choose a specific combination of passwords?
Well, the answer lies in user behavior tracked across social media and past breaches. For example, it is common for people to choose passwords that are a combination of their name and date of birth. For example, if a person is John Galt and he was born on October 12, there’s a good chance that his password is “John1012” or “galt1012.” This is because people tend to choose passwords that are easy to remember.
Also, people tend to reuse passwords across services because it is extremely difficult to remember a new password for every application. Do you know that an average person reuses every password 14 times and at least 60% of users reuse passwords across different sites?
This means knowing one compromised password is enough to get into the networks of other organizations too!
This is why password spraying is a big concern for individuals and pretty much every organization because any user can be reusing a compromised password.
So, how can an individual and an organization protect themselves from password spraying attacks?
How to avoid password spraying attacks?
Awareness and education are the first steps to prevent a password spraying attack.
Both individuals and organizations must be aware of the modus operandi of these attacks to prevent hackers from gaining access to sensitive data. At the outset, awareness about the impact of using weak passwords and reusing the same password across sites should be spread to everyone.
With this awareness, here are some things that individuals and organizations can do to thwart password spraying attacks.
How can individuals prevent password spraying attacks?
As a user, you can do the following to prevent these cyberattacks on your personal data.
- Enable multifactor authentication wherever possible for extra security.
- Use unique passwords as much as possible. This way, even if one password is compromised, you can save your personally identifiable information (PII) from hackers. While this is not easy, it’s worth your effort. Alternatively, use a password manager, so you’ll have to remember only the master password to access this tool.
- Consider using different email addresses for different tasks. For example, have separate email IDs for banking, social media, and other websites you visit for an extra security layer.
- Clear your cache, cookies, and browser history regularly. Also, turn off the “Save Password” feature on your browser.
- Never click on unknown links as they can be phishing emails.
- Choose strong passwords that don’t have any of your personal details. This will make it harder for hackers to crack your password. Most organizations have a password policy, such as including upper- and lower-case letters, numbers, and special characters, so use them well to create a strong and easy-to-remember password.
Thus, these are some things you can do to prevent password spraying attacks.
How can organizations prevent password spraying attacks?
As an organization, do the following things to prevent a password spraying incident and the resultant loss of your sensitive data.
- Mandate multifactor authentication as a prerequisite for login.
- Enforce strong passwords and keep strict password security rules, even if it is a bit cumbersome for users. Eventually, they will understand and even appreciate the extra efforts you take towards protecting their data.
- Review your security policies and password management process frequently and make the necessary changes.
- Conduct education and awareness sessions for both employees and users when possible.
- Train your employees on password policy compliance and instill the importance of using strong and unique passwords at work.
- Provide the necessary documentation for your IT and helpdesk teams to handle a possible breach.
- Use advanced technologies to detect password spraying attacks within your organization, so you can take the necessary steps to mitigate them.
- Be on the lookout for sudden login spikes as these indicate that hackers are reusing the same password for multiple user accounts.
- Conduct regular audits and penetration testing to check your security measures. Use red and blue team testing to improve your security.
Besides these steps, create a security system that will make it difficult for a hacker to move laterally across your internal network. Also, put measures in place to prevent hackers from accessing other user accounts of your organization.
A combination of all these measures and prudence by your employees and users can prevent these attacks.
Password spraying attacks are preventable and occur because of user behavior and lax organizational security policies. With due diligence and understanding, these attacks can be averted.
What are your suggestions to deal with password spraying attacks? Please let us know your thoughts.
Featured image: Shutterstock