Hackers are always trying to get into the systems of companies to steal their data. One way to do this is a method known as the password spraying attack. It is a variant of a brute force attack, in which the attacker tries to gain access to an account by guessing the password in a repeated way.
The attacker will even conduct research-they will go to extreme measures and sift through your personal and family data to guess a password. They also attempt to sign in using the same password across many accounts before moving to the next users account.
So, what measures can a company take to protect itself from a password spraying attack? Let’s have a look…
Effective password guidelines
This is most businesses’ simplest and most powerful security tool. Using strong passwords with at least 10 characters (including upper and lower case, numbers, and special characters), preferably 12 or more, means a brute force attack would take years instead of weeks. For instance, “Y%Xx1YFX2R@i” is much stronger than “Snoopy123456” even though it’s just as long. Don’t reuse the same password for multiple accounts. Once a hacker has your email and password to get into one account, they will almost immediately try logging into other sites like banks, Amazon and Netflix to see what other accounts they can access. Lastly, using a password manager (LastPass, Dashlane, etc) with a very strong password (20 characters minimum) to track your passwords is much safer than keeping an Excel sheet on your desktop with all of your credentials.
Implement multi-factor authentication
Multi-factor authentication is a kind of two-factor authorization that brings together anything you know (a password) with a secondary form of authentication (Yubikey hardware, biometric recognition, SMS code, mobile app). It makes it difficult for the attackers to access the companies data because even if they know the password, they will not have access to the required secondary authenticator.
Use breached password protection
Breached password protection is a necessary step to safeguard passwords. Attackers may use the previously breached passwords to hack new accounts. They know that from human nature, different end-users can think alike and assume alike. It creates a tendency for people to create patterns and use identical passwords.
Implementing this cybersecurity defense mechanism signifies that the companies are scanning for passwords that may already be present in the breached lists. Tools are available through third-party companies to scan Active Directory passwords and compare against known compromised accounts. Or use something like www.haveibeenpwned.com to see if your email address has been breached or published with password info at some point.
Enforce account lockout policies
As mentioned previously, the hacker will use infinite passwords to access an account until they access the correct password. To ensure that it does not help the attackers, companies can configure a limit to password attempts. They can also lock the account for a particular duration of time with something called lockout coverage. Account lockout policies are an excellent defense system for any brute force attack.
Password authentication eliminates the risk of password breach altogether, and instead authenticates the users via biometrics, an SMS message verifying possession of a device, a magic link that verifies ownership of an email account, etc. Experts believe that passwordless authentication is the future of authentication as it eliminates the risk of attacks like password spraying. OneLogin, Keyless.io, and 1Password are a few vendors that provide these authentication services and softwares.
Password spraying attacks are dangerous risks for organizations. Implementing some basic measures in your company can help you from data breaches and any associated harassment. Reach out to Regala Consulting today to help with your security needs.