There’s a simple, successful tactic that many cybercriminals use to hack into your confidential information: password spraying.
Why is it successful?
Because hundreds of millions of people do not follow password best practices.
This blog will explain password spraying and provide you with steps and tips you can take to lock your data up tightly with better passwords.
It is an automated, brute force attempt to guess common passwords people use. Hackers will feed in usernames to a program that will cycle through and attempt to find a match.
For instance, a spraying attack would input “cybersecurity@24by7security.com” and then try common passwords until locked out or successful.
The passwords used in the attack will be commonly used passwords (such as “password” and “123456”) or will take passwords from an already compromised site because many users reuse passwords across multiple apps and websites. The goal is to use common passwords against a large set of users. “Dictionary” attacks using words from the dictionary are also common.
Password spraying is slightly different from credential stuffing, where a known compromised username and password combination is used to gain access across multiple applications.
Two-factor authentication, or multi-factor authentication (MFA), prevents password-spraying and makes credential stuffing much more difficult.
To be clear, two-factor authentication is the combination of two (or more) authentication factors which are:
We recommend that two-factor identification be turned on for at least any applications that access confidential information, such as personal health information which can help you maintain HIPAA compliance and minimize the chances of a data breach of protected health information.
MFA does require IT integration. A risk analysis can reveal that the IT costs of MFA implementation can be outweighed by the benefits, especially in heavily regulated and targeted industries such as healthcare or finance.
Employees continue to use simple passwords that are easily hacked. The UK’s National Cyber Security Centre (NCSC) released a survey in 2019 revealing the 10 most commonly hacked passwords. The top 3 were “123456”, “123456789”, and “qwerty.” Sports team names, common names, fictional characters, and musicians were also common passwords that were hacked.
Here are three recommendations to tighten your security via stronger password management.
Passphrases are more secure than passwords. They are harder to guess and password crackers stop being effective beyond 10 characters so they are, at least currently, very difficult to crack with brute force. A passphrase (avoid common phrases, song lyrics, and famous phrases) is often easier to remember than a strong password. Remember something like “Why did I buy Purina for my boxer instead of Iams” is much easier than “6&8Bullz$?!?&”.
A passphrase can contain spaces. They are longer than a password and can contain many of the same complex rules requirements such as using punctuation, upper and lower case, symbols, and numbers. Major operating systems such as Windows, Linux, and Mac allow passphrases up to 127 characters long.
Here are a few tips for basic password hygiene to keep your passwords secure:
You can read more tips about setting passwords in our post, Unpacking the NIST Password Requirements in 2019.
Don’t forget to train employees! Help your employees be a strong first line of defense against password spraying (and other common hacking attempts like phishing) with regular cybersecurity training, including tips for password hygiene like those discussed in this post.
Finally, implement your password policies into your systems. Help users remember passwords with secure, encrypted password managers designed for businesses. Some simple steps that can easily be taken to improve password security:
Password spraying is a relatively simple and uncomplicated attack used by cybercriminals. Creating and adhering to a strong password policy will help to block many password spraying attempts, keeping your information safe and your business out of the news.