In our series of account breach types, it’s time to talk about password spray attacks. While we have already dedicated time to brute-force attacks, it’s worthy to explain what password spray attacks are, how they operate, and how individuals and businesses can protect from them.
The recent news where it came to our knowledge that relevant companies as Facebook and Robinhood were storing passwords in plain text files make us think about how much can actually happen when our passwords get compromised in this way.
In the following lines, our team will dedicate enough time to explain this type of account breach and what you can do to prevent problems in the future.
What are Password Spray Attacks?
As the name suggests, password spray attacks are a type of cybersecurity assault that has a broad aim when it comes to potential victims. Thousands of accounts are attacked simultaneously, instead of focusing on a single account, as it occurs with traditional brute-force attempts to break-in.
The attacker uses software that executes break-in attempts at large scale, trying a potential password on a large number of accounts. The idea is to make a single attempt on each account, preventing this way automated blocking coming from security software.
Low-quality passwords are used during these attacks. The cybercriminal bases the strategy on low-complexity passwords that are the result of users’ bad habits when it comes to security online. Do you know what is the worst part? That these attacks often succeed. Hackers use passwords as simple as “12345678” and “password1” and they have a solid chance to work.
For greater effectiveness, cybercriminals often make their attempts dictionary-type attacks. The idea is to get hints on which ones the right passwords may be. Personal dictionaries are an extraordinary source for this information.
It’s also important to mention that cybercriminals also use leaks from compromised websites and services to gather key data on the users. A compromised site can lead to hundreds of usernames and passwords that may also match on another website, as people use the same combination for different accounts online (going against the most basic recommendations in cybersecurity).
Taking It Seriously
Too many administrators deem as inoffensive and obsolete this kind of attacks, as they may do with other brute-force attempts. However, this is a major mistake from their end as these attacks can indeed cause serious damage to the organization.
Password spray attacks may use low-quality passwords and don’t insists on breaking-in on each account but they aren’t harmless because of this.
SSO solutions and cloud-based apps like email platforms (including the ones used by corporate) are the usual targets of these attacks as they provide the most benefits per successful attempt. Take into consideration that businesses that use SSO solutions, for example, grant access to a full work environment with a single sign-in, which is convenient yet devasting in case of someone gaining unauthorized access.
Multifactor authentication and healthy password habits are two sure-shot ways to prevent the success of password spray attacks. Even a two-factor auth can place massive barriers for cybercriminals who bet on this type of attack.
At My IT Guy, we can help your business to implement the right solutions that will surely prevent any possible loss from cyberattacks. Account breaches will be avoided at all costs, leveraging the latest tech to safeguard your digital assets.