The most common way passwords are compromised is through brute force attacks. This is where cybercriminals attempt to infiltrate an account by guessing both common and random password combinations. However, more and more cybercriminals are now using password spraying to gain access to their victims' accounts. But what is it exactly, and what are its dangers to businesses? Let’s take a look.
What is a password spraying attack?
Password spraying is a type of brute force attack where cybercriminals attempt to access a large number of accounts using commonly used passwords.
Password spraying is a type of brute force attack where cybercriminals attempt to access a large number of accounts using commonly used passwords.
How does a password spraying attack work?
Before starting a password spraying attack, cybercriminals often buy a list of usernames stolen from other organizations on the dark web. They can also build their own list using the patterns that company email addresses follow (e.g., firstname.lastname@examplebusiness.com) along with a list of people who work at that company (from LinkedIn, for instance).
Then, cybercriminals procure a list of common passwords by looking up yearly security reports and studies. Attackers can also build a list of common passwords based on regional trends, commonly used phrases, and other contextual clues. For instance, if an organization is located in New York, they could try variations of “Knicks” or “Yankees,” or anything related to these teams or the city itself.
Once a cybercriminal has a list of usernames and passwords, they will try to find a combination that works. They will do this using an automated system that tries one password with every user and then repeats this process with the next password. This way, the criminal can avoid being flagged by account lockout policies or IP address blockers that restrict too many login attempts.
What dangers do password spraying attacks pose to your business?
The risks of a password spraying attack depend on the role of the employee whose account was compromised. For instance, if the breached account belongs to an end user, their sensitive information could be used for identity theft. But if the account belongs to an IT administrator, a cybercriminal could steal business-critical information, which can result in operational downtime and reputational damage.
Password spraying is a common method that cybercriminals use to gain unauthorized access to computer systems. In fact, according to Verizon, more than 80% of all hacking-related breaches involved brute-force methods like password spraying. Therefore, there is a high risk for your business to suffer such an attack in the future.
What steps can you take to protect your business from password spraying attacks?
Here’s what you can do to minimize the risk of such attacks affecting your business:
1. Perform a penetration test
A penetration test is an authorized simulated cyberattack on a computer system that is conducted to evaluate the system’s security. An automated penetration testing tool can be used to run password attacks. For example, you can simulate a password spraying scenario to see which of your machines are sharing credentials. This gives you time to update passwords and avoid a password spraying attack.
2. Implement multifactor authentication (MFA)
MFA requires users to provide additional authentication factors aside from a username and password. This could be a physical key, one-time code, or a fingerprint or facial scan. Once MFA is enabled, attackers won't be able to access accounts unless they provide the other authentication factors.
3. Force users to change passwords on first login
Immediately changing factory default passwords will mitigate the risk of cybercriminals using commonly used passwords to breach their accounts. Have your employees create strong passwords that cannot be easily guessed, such as passphrases. If they find it difficult to create one, you can deploy a password manager. Password managers can store and generate strong passwords, reducing the risk of cybercriminals infiltrating user accounts.
You can also partner with a dependable managed IT services provider like NetQuest. We will protect your Baltimore, Annapolis, or Towson business 24/7/365 from hackers and online threats. We will also help you identify weak spots in your infrastructure and find ways to bolster them. Request a risk-free audit from us today.
