Home Explainers How to Prevent Password Spraying Attacks

How to Prevent Password Spraying Attacks

Employees and users often use the same passwords for multiple accounts, exposing their accounts to password spraying attacks.

SHARE
password spraying attacks, credential stuffing attacks

Weak or easy-to-guess passwords are potential threats to corporate networks. Poor password habits could make the entire organization’s security vulnerable to unauthorized intrusions. Threat actors leverage various techniques, like Password Spraying attack, to exploit weak passwords and penetrate vulnerable network systems.

By Rudra Srinivas, Senior Feature Writer, CISO MAG

What is a Password Spraying Attack?

In a password spraying attack, adversaries try to guess users’ passwords by using a list of common and predictable passwords. Password spraying attacks are similar to brute-force attacks, in which threat actors predict users’ credentials to gain unauthorized access to targeted systems by the trial-and-error method.

Password spraying attacks usually enable hackers to:

  • Obtain access to users’ private data
  • Penetrate email and other online accounts
  • Initial access and privilege escalation
  • Evasion of security detection

Hackers Obtain Credentials in Password Spraying Attacks by:

  • Researching on targets’ social media profiles online
  • Leveraging social engineering scams to obtain sensitive information
  • Trying common passwords like – qwerty, password, Password123, 123456, etc., to break into accounts
  • Exploiting compromised accounts to obtain email addresses
  • Moving laterally in the compromised network to affect more accounts and steal credentials

Also Read: These are the Most Common Passwords of 2021

How to Prevent Password Spraying Attacks

Organizations can boost their overall security posture by following basic password management measures. These include:

  • Enabling two-factor or multi-factor authentication procedures
  • Using strong passwords that include numbers, symbols, and both uppercase and lowercase letters
  • Changing all default passwords
  • Keeping well-documented procedures for password resets
  • Implementing a Zero Trust security model to detect anonymous intrusions
  • Restricting access to authentication URLs
  • Enforce the use of strong passwords
  • Enabling CAPTCHA feature for authentication
  • Enabling account lockout option, after multiple wrong login attempts
  • Maintaining security awareness training to employees regularly

Also Read: 6 Practices to Strengthen Your Password Hygiene

Weak Passwords Make Hacker’s Job Easy

Cybercriminals often exploit leaked/stolen passwords from data breaches to break into user accounts. Pet names, favorite movies, or hobbies are used as passwords, exposing user accounts to password spraying and account takeover attacks. According to a survey, 63% of employees in the U.S. have reused their passwords on work accounts and devices. It was found that employees are 6.5 times more likely to reuse their passwords.

What Experts Say… 

Ritesh ChopraCommenting on the importance of passwords, Ritesh Chopra, Director Sales and Field Marketing, India & SAARC Countries, NortonLifeLock, said, “The remote working trend and the heightened dependence on digital platforms brought about by the ongoing pandemic have contributed to an increase in cyberattacks, with cybercrime rising through unsecured networks, websites, and emails. We often save financial data, personally identifiable information (PII), contacts, credit and debit card information on our personal devices.

“All this data is at risk online. One of the ways we can secure it is by using password managers that allow us to keep multiple and more complicated passwords. It is good that consumers today recognize the need for cyber safety and that it can start with something as simple as having stronger passwords,” Chopra added.

A robust password management program and adherence to cybersecurity practices are the best defense against evolving hacker intrusions.

About the Author:

Rudra Srinivas

Rudra Srinivas is a Senior Feature Writer and part of the editorial team at CISO MAG. He writes news and feature stories on cybersecurity trends.       

More from the Rudra.