Password Spraying
What is Password Spraying? Why is Password Spraying dangerous? How to avoid a password spraying cyber attack?
Password Spraying is simple enough to understand, this cyber attack can affect individuals as well as businesses. Hackers take one domain and use common words or reused passwords to try to access all accounts. If your business is John Smith Rocks and your email address is john@johnsmithrocks.com, hackers can use publicly known company information to start guessing passwords. This could include your business’s address, year established, industry-related words, etc. If you have one simple password for most accounts like Sm!thRocks123, you are at high risk of a password spraying attack. If your passwords aren’t the same but have minimal variations like Sm$thRocks321 they are still easily found with character variations.
The majority of people use weak or obvious passwords in hopes of keeping everyone in their organization on the same page. Being locked out of accounts because you don’t have a password is frustrating and wastes company time. However, it only takes a few people using poor passwords in an organization for a hacker to gain access to sensitive company and client information.
According to Keeper, 65% of internet users reuse their passwords across multiple accounts, but we can minimize that count today! Start by changing the password of any accounts you sign in to today, and go from there. Whether you write them down or keep a spreadsheet, it’s critical to your online safety to have unique passwords.
Personal Users:
1-Use multifactor authentication. This way regardless of if your password is compromised, logging in will require a second authenticator. There are several free third-party authenticators (Google Authenticator) that are simple and quick. All you do is check the app on your phone and type in the six-digit code to verify that it is you trying to access your accounts.
2-Do not use common passwords. I know it’s hard to remember all of them. It seems all companies, apps, and services have their separate portal with required login information. If there are too many to keep track of on google sheets or notes on your phone, use a password organizer like Keeper, Last Pass, 1Password, Roboform, etc. These password managers make sure each password is safe, different, and updated regularly, while you only have to remember one master password to gain access to your account.
Businesses:
1- Use multifactor authentication
2-Use CAPTCHA- This prevents bots from logging into accounts with stolen credentials
3-Use VPNs to hide the team's IP addresses and make it more difficult for hackers to narrow down your business's exact IP Address.
4-Create a Cyber Security Policy at your company that focuses on creating complex passwords and stores them in a password manager like mentioned above.
5-Make sure all employees and team members understand the importance of cybersecurity, what the cost could be to the company if the policy isn’t upheld, and how to recognize possible threats.
There is a tendency to think that the little guy doesn’t get picked on by hackers. Most people believe that they don’t have a high net worth or that their information isn’t important enough for someone to go through all the work to hack their accounts. Unfortunately, it is easier to go for the little guys. Companies and individuals with less to be stolen also don’t have the resources or know how to prevent attacks. They also don’t have the resources to pursue legal action or hunt down their stolen information. These “little guys” are the MOST susceptible to cyber attacks and should take extra care to prevent these attacks against their organizations and personal information.