Have you ever heard of Password Spraying? Accordingly to a recent alert from the US Department of Homeland Security, this style of brute force attack is being used increasingly against organisations in the United States and abroad, and we are already seeing Australian examples.
In this blog we will help you understand more about this cyber-attack method, how it exposes weak passwords in businesses and provide you with some best practices for defending against it.
What is password spraying?
With the common cyber-attack method of password spraying on the rise it is important to firstly understand the difference between a traditional brute-force attack and a password spray attack.
Essentially the difference is:
- In a traditional brute-force attack, a malicious actor attempts to gain unauthorised access to a single account by repeatedly guessing the password. This can result in a targeted account being locked-out as commonly used account-lockout policies allow a limited number of bad attempts before the account gets locked. So, it’s not a very efficient attack method if account-lockout policies are enabled.
- In a password spray attack they try the most common passwords across many different accounts before moving on to attempt a second password and so on. Because there are fewer attempts per account, this method allows the attack to remain undetected by avoiding rapid or frequent account lockouts.
What are the tactics used in a password spray attack?
For this cyber-attack method it’s a numbers game – even if they only get a few successes for every thousand accounts attacked then that’s enough to be effective. They typically target single sign-on (SSO) and cloud-based applications, with email applications also commonly being targeted.
Once they have access to the account, they are then able to:
- Obtain specific data from emails
- Harvest contact information
- Send out phishing links
- Expand the password spray target group
It’s time to review your company passwords and policies
As the old saying goes ‘You’re only as strong as your weakest link’ and because people will always be the uncontrollable variable, continuing to use weak, easy to remember passwords means your business will be vulnerable.
Make sure you take the time to:
- Review all password policies and deter the use of easy-to-guess passwords.
- Speak to your Managed Service Provider about additional assistance and tools the can help detect and prevent password spray attacks for your business, such as those listed in this recent Microsoft blog.
- Continue to educate your staff regarding the importance of password security and be sure to revisit our blog on just how to select secure passwords, that reinforces those password fundamentals of:
- The longer the better: At a minimum you should have 8 characters, but we’d recommend 12 or more.
- Complexity: Adding numbers and characters greatly increases the strength of a password, as does a combination of lower and upper case letters.
- Avoid repetition: Try to avoid creating a complex password, then incrementing it by one character each time you’re asked to change it.
- Avoid obvious words/phrases: Don’t use anything obvious like “Password1", "qwerty", "asdfjkl;", "Sarah", "abc123". Dictionary brute force attacks start with these obvious phrases.
- Don’t write it down: Don’t record your password anywhere, especially not on a post-it note on your desk!
For more help on password security, this is a great tool that rates your new password - https://howsecureismypassword.net/
How can Diamond help?
At Diamond, we take security seriously, so please contact us today if you have any questions regarding the tips above. Call us now on 1300 307 907 or complete the form below to contact our team.