IT Support Indianapolis 317-497-5500
IT Support Raleigh 919-890-8088
IT Support Atlanta 678-263-4770
IT Support Fairfax 703-344-7760
Request a Quote
MAR 10
How to Prevent Password Spraying Attacks

How to Prevent Password Spraying Attacks

March 10, 2022
Bad cyber actors are what the kids these days would call “try hards.” They do everything they can think of to get into your accounts. One tactic is password spraying. In case you don’t know about it, this article gives the basics and shares strategies to prevent this type of attack.rnrnYou’re probably familiar with hackers trying many different password combinations with the username. Web security services know about this form of attack, too. That’s why you can get locked out of your site for trying the wrong password too many times.rnrnThis brings us to password spraying. The cyber criminals have found a way to get around the-three-tries-and-you’re-out-of-luck defense. Instead of one user and many passwords, they use one password with many different usernames.rnrnThink how easy this could be. Your company database is online for people to contact your employees. The bad actor takes john@yourcompany.com, jane@yourcompany.com, jamal@yourcompany.com, and so on, or they buy a list of usernames on the Dark web. Then, they try common passwords for every one of those individuals.rnrn“Abc123,” “123456,” and … ugh … “password” are still frequently in use worldwide as passwords. So, it’s not that much of a stretch for a hacker to be able to get in with one of these common permutations.rnrnThe brute-force attack runs through a long list of users before trying the next “wrong” password. So, by the time it has finished going through the list of users with the password “abc123”, enough time has passed to avoid lockouts, and the hacker tries another password from the user list.rn

What to do about password spraying

rnThe most obvious thing? Stop using any of the passwords that appear on the most commonly used worldwide lists! You think no one would still be using these obvious options? In 2021, there were more than 3.5 million reported uses of the "123456" password. “Password” came in second with 1.7 million reported uses. Both take less than a second to crack.rnrnSo, prefer more complicated passwords. This doesn’t have to mean that users add seven numbers, six symbols, and three capitalized letters. The National Institute of Standards and Technology (NIST) guidelines suggest length is more important. So, users can create longer yet easier-to-remember passwords.rnrnIT administrators can also force users to change passwords at their first login to new applications. NIST further recommends checking every new password against a breached password list.rnrnMultifactor authentication helps, as well. This requires the user to verify themselves with access credentials and extra authentication. This might be a code sent via text to a smartphone or could involve an authentication app.rnrnIt’s also a good idea to segment your networks so that users access only what they need to. Limiting user access can minimize the damage done if there is a breach.rn

Put password best practices in place

rnKeep your business secure with the help of a managed service provider. We can spearhead the installation of lockout policies and other security measures. Our experts also stay current with the latest vulnerabilities to proactively protect your organization. Call us at 317-497-5500.