While passwords can protect our precious information, their ability to help us is limited by our ability to come up with a strong and memorable variation. Failure to create and use a secure, unique password can open your accounts up to password spraying.
Password spraying is an attack that attempts to access accounts by pairing usernames with a few commonly used passwords. Traditional attacks involve the hacker guessing many passwords to access a single user’s account, trying one after another. Typically, this method doesn’t work well as most systems lockout a user after trying to log in several times unsuccessfully. A more successful method for hackers is called the “low-and-slow” method, where a hacker uses the same generic password (such as “123456”) against multiple accounts before moving onto a second password. To prevent being locked out of a user’s account for too many unsuccessful logins, hackers will typically leave a period of thirty minutes to an hour between password attempts. This methodology allows hackers to stay under the radar while still gaining access to many accounts. Citrix is just one example of a company that fell subject to password spraying this year.
How to Detect Password Spraying
Because hackers work slowly and deliberately to not trip any alarms during their attempts to access accounts, it can be hard to know if your accounts are in the middle of a password spraying attempt. Thankfully, there are key signs to look out for.
- Locked out accounts: If your organization has a high rate of locked out accounts, it may indicate that someone other than the employees is attempting to log in.
- IP addresses: If employees are logging in from IP addresses connected to locations inconsistent with their normal locations, there may be someone attempting to hack into the employee’s accounts.
- Authentication velocity checks: Check how many login attempts were created by network users within a certain period. If there’s an 80+% failure of user logins within a 40-minute window, chances are someone is password spraying.
If your organization’s IT department detects any of the above, immediately change your password settings with a stronger, more secure password and alert your IT department.
Don’t Be A Victim
Password spraying wouldn’t be a successful tool for hackers if every organization and user had a strong password and security posture. Below are a few proactive steps that you can take to mitigate the risk of being a victim of password spraying.
- Do not provide users with reasoning for failed password entries like, “Password requires 8 or more characters” or “Email address not found.” This information can be leveraged by hackers.
- Ensure your organization utilizes multifactor authentication on all devices. This will ensure that if someone is trying to pretend to be you, you will receive a push notification or text message where you can push the request through as “unauthorized.”
- Prevent users utilizing easy to guess passwords by enforcing strict password guidelines. A good rule of thumb is to enforce all of these guidelines for employee passwords:
- The password must have at least eight characters, one number, lower and uppercase characters and at least one special character.
- The password must not contain personal identifiers, such as the user’s social security number or birthday.
- The password should not contain repeating or consecutive numbers.
- Enforce a company-wide training on cybersecurity awareness and the importance of strong passwords.
- Cross-reference passwords that are being set-up with a popular password list and ensure your network’s system automatically refuse them.
- Contrary to popular belief, research shows forcing employees to change their passwords frequently for no documented reason isn’t too effective. Instead, make sure employees are using strong passwords to begin with and encourage the use of an online password manager.
Protect Your Passwords
Password spraying will always be an easy method for hackers to try to get into accounts. It’s the easiest form of hacking and requires little to no experience. Users that haven’t implemented multi-factor authentication and the proper security measures are particularly venerable to password spraying. Take the threat of password spraying seriously and utilize the tips listed above to prevent your personal information from becoming public.
How A-LIGN Can Help
Staying vigilant, being aware of current threats and protecting yourself with the latest defense tactics are important. A-LIGN’s experience and commitment to quality can help your business achieve the cybersecurity goals it is seeking, thanks to our comprehensive suite of cybersecurity services.
Are you ready to strengthen your organization’s defenses? Contact A-LIGN at 1-888-702-5446 to speak with one of our cybersecurity professionals.