There’s a simple, successful tactic that many cybercriminals use to hack into your confidential information: password spraying.
Why is it successful?
Because hundreds of millions of people do not follow password best practices.
This blog will explain password spraying and provide you with steps and tips you can take to lock your data up tightly with better passwords.
What Is Password Spraying?
It is an automated, brute force attempt to guess common passwords people use. Hackers will feed in usernames to a program that will cycle through and attempt to find a match.
For instance, a spraying attack would input “firstname.lastname@example.org” and then try common passwords until locked out or successful.
The passwords used in the attack will be commonly used passwords (such as “password” and “123456”) or will take passwords from an already compromised site because many users reuse passwords across multiple apps and websites. The goal is to use common passwords against a large set of users. “Dictionary” attacks using words from the dictionary are also common.
Password spraying is slightly different from credential stuffing, where a known compromised username and password combination is used to gain access across multiple applications.
A Key Defense - Two-Factor Authentication
Two-factor authentication, or multi-factor authentication (MFA), prevents password-spraying and makes credential stuffing much more difficult.
To be clear, two-factor authentication is the combination of two (or more) authentication factors which are:
- Based on knowledge (what you know) — a password, PIN, security question answer, passphrase
- Based on possession (what you have) — a smart card, a smart phone, a one-time code
- Based on biometrics (what you are) — fingerprint, voice recognition, iris scan
We recommend that two-factor identification be turned on for at least any applications that access confidential information, such as personal health information which can help you maintain HIPAA compliance and minimize the chances of a data breach of protected health information.
MFA does require IT integration. A risk analysis can reveal that the IT costs of MFA implementation can be outweighed by the benefits, especially in heavily regulated and targeted industries such as healthcare or finance.
Better Passwords = Better Defense Against Password Spraying
Employees continue to use simple passwords that are easily hacked. The UK’s National Cyber Security Centre (NCSC) released a survey in 2019 revealing the 10 most commonly hacked passwords. The top 3 were “123456”, “123456789”, and “qwerty.” Sports team names, common names, fictional characters, and musicians were also common passwords that were hacked.
Here are three recommendations to tighten your security via stronger password management.
- Every employee should create strong passwords according to your password policy. Privileged users (and executives) should have even more stringent password requirements, such as more frequent changes and using passphrases instead of passwords.
- Avoid using passwords based on personal information (birthdays or names of pets, parents, spouse, children, etc.).
- Use different passwords for different systems — especially for personal versus business use.
- Use the longest password or passphrase possible.
- Consider a password manager program.
- Avoid words that can be found in any dictionary in any language.
Consider Using Passphrases Instead of Passwords
Passphrases are more secure than passwords. They are harder to guess and password crackers stop being effective beyond 10 characters so they are, at least currently, very difficult to crack with brute force. A passphrase (avoid common phrases, song lyrics, and famous phrases) is often easier to remember than a strong password. Remember something like “Why did I buy Purina for my boxer instead of Iams” is much easier than “6&8Bullz$?!?&”.
A passphrase can contain spaces. They are longer than a password and can contain many of the same complex rules requirements such as using punctuation, upper and lower case, symbols, and numbers. Major operating systems such as Windows, Linux, and Mac allow passphrases up to 127 characters long.
Protect Your Passwords and Passphrases
Here are a few tips for basic password hygiene to keep your passwords secure:
- Be wary of allowing your computer to save passwords for various applications and websites you visit. Anyone with access can possibly access your information should your laptop be lost or stolen.
- Don’t access sensitive accounts (banking, email, any business application with access to protected information) via a public computer or public Wi-Fi.
- Log out when using a public computer, or even a shared computer at work.
- Don’t write down passwords or leave them on a sticky note on your monitor or in the top-right drawer of your desk. Remember the Hawaii Remote Management Agency’s mistake of having their password on a sticky note photographed after a false alert of a missile attack?
You can read more tips about setting passwords in our post, Unpacking the NIST Password Requirements in 2019.
Don’t forget to train employees! Help your employees be a strong first line of defense against password spraying (and other common hacking attempts like phishing) with regular cybersecurity training, including tips for password hygiene like those discussed in this post.
Finally, implement your password policies into your systems. Help users remember passwords with secure, encrypted password managers designed for businesses. Some simple steps that can easily be taken to improve password security:
- Configure minimum password lengths of 10 characters and 15 characters for passphrases
- Enable complexity requirements for both passwords and passphrases
- Reset admin passwords every 180 days
- Use strong passphrases for all domain admin accounts
Password spraying is a relatively simple and uncomplicated attack used by cybercriminals. Creating and adhering to a strong password policy will help to block many password spraying attempts, keeping your information safe and your business out of the news.