Have you ever been locked out of an account for inputting an incorrect password too many times? That happens because web security services are trying to prevent cybercriminals from accessing your accounts by inputting different passwords hoping one of them will work. However, cybercriminals have found another way of getting around this defence mechanism. Instead of trying one username and many passwords, they use one with many different usernames. This is called password spraying.
This is actually fairly easy to do. If your company database is online for people to contact your employees, the hacker simply takes annie@yourcompany.com, ben@yourcompany.com, carmen@yourcompany.com, and so on, or they buy a list of usernames on the dark web, and then they input the most common passwords for every one of those usernames. These include things like “Abc123,” “123456”, “password” or “secret”.
Attackers run through the entire long list of users before trying the next password. By the time they’ve finished going through the list of users with the first password, enough time has passed to avoid lockouts. The hacker then tries the next password from the user list.
Avoiding password spraying
The most important action you can take is to stop using any of the passwords that appear on the most commonly used worldwide lists. In 2021, there were more than 3.5 million reported uses of the "123456" password, while “Password” came in second with 1.7 million reported uses. Both of these take less than a second to crack with a password-spraying attack.
More complex passwords are better, but that doesn’t necessarily mean you need to include three capital letters, a number, two special characters and your firstborn’s birth date. According to the National Institute of Standards and Technology (NIST) guideline, length is the most important factor.
NIST also recommends checking every new password against its breached password list. We’d suggest implementing multi-factor authentication (MFA) and systems to force users to change passwords at the first login to a new application and boosting security protocols to ensure users only have access to what they need.
You can also work with your managed services provider to help improve security measures, from lockout policies to protect you against current scams and security vulnerabilities.
Get in touch to find out how Numata can assist in implementing a comprehensive approach to cybersecurity to protect your people, your profit and your digital assets.
