Introduction
Did you know that every time you get a new device, the first thing you should do is change all your default passwords? If you’re still using the passkeys that came with your phone, computer or any other device, then you’re putting the entire network at risk.
Default passwords are convenient to keep, but that opens the door for a hack by anyone who has purchased the same device (or knows someone that did). There’s also risk of physical theft; someone could steal your brand new tablet out of your backpack and change all the settings, or wipe the hard drive clean. Leaving default passwords active also leaves you at risk of experiencing a password spraying attack.
What is Password Spraying?
This is a common type of cyberattack that leverages numbers in their favor, as opposed to targeting a specific account. While social engineering attackers may opt to learn about a particular person and guess at their passwords, other kinds of criminals bet on quantity.
In a password spraying attack, they’ll run default passwords (or, sometimes, just go after very simple and weak passwords), against a whole bunch of users on that application. This creates a much higher chance that they’ll get into at least one account that remains loosely protected. They compile a mass list of accounts by using common email usernames, like first and last name combinations that they get off of company websites or LinkedIn. All that public information could result in disaster if you have a common password that makes you easy to hack
If you’re in software development, this is also a good reason not to give all new users the same passcode upon setup!
Effects of a Password Spraying Attack
Is this cyberattack really something to worry about? You decide: In 2020, Verizon’s Data Breach Report confirmed that 80% of hacks that lead to breaches involved what’s known as a “brute-force attack.” Password spraying is one such type.
Did you know there are more than 15B credentials for sale on the Dark Web right now? Cybercriminals can buy a list of stolen usernames to run common passwords against. The damages that then result depend on what level of security access you have at your organization. If a criminal manages to get into the CEO’s account, for example, then they could steal any number of confidential files or run ransomware attacks that cost thousands. It’s not just company files, though; password spraying works just as effectively on personal accounts and can lead to the compromise of vital financial or identifying information.
How to Protect Your Organization
Since these hackers aren’t limited to guessing default passwords, these kinds of attacks also highlight the importance of choosing hard-to-guess alphanumerical combinations as credentials. To protect yourself from password spraying attacks, take steps such as these:
- Change passwords at first log-in
- Use multi-factor authentication
- Change passwords regularly
- Lockout an account after a certain number of failed attempts
- Use CAPTCHA fields or security questions
- Limit security access on different levels of the organization
- Use encrypted passcode managers
If you have a password like Password123 or qwerty, then you’re relying on very common ones that are likely to be tried in a password spraying attack. Consider something more complex and difficult-to-guess so you don’t end up on a hacker’s list of accessible accounts.
Conclusion
It boils down to the same security practices that mitigate many different cyberattacks. Cybercriminals can be enormously savvy, but many of them are simply looking for the easiest way to access the lowest common denominator. The more you secure your account, the less likely you are to get lumped into brute force attacks that target a large number of users with what they hope are basic credentials. At the very least, you’re more likely to survive that attempted breach if it happens.
Brute force attacks are common. Protect yourself and your company from things like password spraying with secure account management practices, every day.
References
- https://owasp.org/www-community/attacks/Password_Spraying_Attack
- https://www.ncsc.gov.uk/blog-post/spray-you-spray-me-defending-against-password-spraying-attacks
- https://cybernews.com/best-password-managers/most-common-passwords/
- https://auth0.com/blog/what-is-password-spraying-how-to-stop-password-spraying-attacks/
