Hackers know that not many people are using secure passwords, which is why they are using creative ways to enter organizations using common passwords. One way they are doing this is by launching password spray attacks. Password spraying made headlines earlier this year when the United States Department of Justice indicted nine people involved with stealing $3.4 billion in trade secrets.

Password protection is incredibly important and failing to have a good password can put your organization at risk. According Verizon’s 2017 Data Breach Investigation Report, 81% of data breaches are caused by hacked or weak passwords. Using a good password could make a difference when it comes to preventing bad actors access to your organization.

password spraying

Source: Pew Research Center

What is a Password Spray Attack?

A password spray attack occurs when hackers try using a common password, such as qwerty, with multiple accounts before moving on to a second password. This makes it easier to bypass the limit of multiple log in attempts.

Hackers will usually target organizations by creating an email list of the employees. Hackers can easily find a list of employees on LinkedIn and deduce employee emails based on the typical format of firstname.lastname@company.com. They will then choose a common password and try logging in via popular cloud-based services like Gmail or Outlook. Hackers are patient and will wait in between attempts to avoid triggering time-based lockout thresholds.

How to Prevent Password Spray Attacks

It only takes one successful attempt at password spraying for hackers to get into your organization. It’s important to make sure that your organization is protected so that you keep the bad actors out. Here are 5 tips you can use to increase password security in your organization:

1. Implement a good password policy: The best way to ensure the passwords within your network are protected is to implement a password policy. You should set your passwords to expire every 90 days and make sure all passwords are at least 8 characters long with capital letters, numbers and/or symbols. Encourage your employees to not use easy to guess passwords, such as brand names, names of famous people or their birthday.

2. Use multi-factor authentication: Add an additional layer of security to your accounts by using multifactor authentication. This allows accounts to use something other than a password, such as a text or call to a phone number, to verify the account owner.

3. Have a ‘zero trust’ mindset: Cyber threats can occur from inside and outside your organization, making it important to have a ‘don’t trust, always verify’ approach. Integrating this mentality into your organization means having strict identity verification for all your accounts. This includes using different and secure passwords across all your accounts and devices. Also make sure you create new passwords when integrating new hardware – such as when you get a new computer, router or access point. Never use default passwords as they can be easily found online.

4. Educate your employees: It takes cooperation between your organization and your employees to ensure that your business stays safe. Help your employees stay safe online by teaching them the importance of using secure passwords. Implementing cybersecurity training, like our Secure IT – Training course, will show your employees that you care about being cyber safe.

5. Use a security information and event management (SIEM) system: Integrating a SIEM system into your organization like our Secure IT – SIEM will help defend against these attacks. Our SIEM uses behavioural analytics and global threat databases to determine if a threat is taking place. In addition, the SIEM can identity and block suspicious IP addresses or login attempts.