The most sophisticated hacking operations often use surprisingly simple methods to gain access to major targets. Bad password hygiene is the most common culprit in a cyber incident.
The practice of password spraying got some much needed attention recently during a Senate hearing about the SolarWinds hack, which compromised the United States Treasury, Commerce, State, Energy, and Homeland Security departments, and a host of well known companies including Intel, Nvidia, Cisco, and VMWare.
Password spraying is a simple and effective exploit that compromises credentials by using well-known or commonly used passwords, e.g. “Password,” “password123,” “qwerty,” or deploys passwords that might be likely in a particular area (e.g., steelers1! in the Pittsburgh area.)
SPONSORED: Find a Qualified Financial Advisor
1. Finding a qualified financial advisor doesn't have to be hard. SmartAsset's free tool matches you with up to 3 fiduciary financial advisors in your area in 5 minutes.
2. Each advisor has been vetted by SmartAsset and is held to a fiduciary standard to act in your best interests. If you're ready to be matched with local advisors that can help you achieve your financial goals get started now.
A hacker using password spraying will attempt to log in to several accounts within a network, often thousands at a time, until it finds one that uses this successfully.
Unlike brute force attacks–where a long list of random passwords are tried against a single account and credential stuffing where login/password combinations from previous data breaches are tried to access an account–password spraying takes a shotgun approach.
Password spraying has an advantage over other forms of authentication attacks because it is less likely to trigger security software and firewalls programmed to lock accounts after a set number of failed login attempts. By trying one weak password against several accounts, the attempted hack is more likely to go unnoticed than an attack on a single account or a handful of accounts.
- Password spraying is predictive, and targets bad password hygiene.
- Password spraying may have been used in the SolarWinds attacks.
- Authentication attacks like password spraying and credential stuffing can be rendered ineffective by using strong, unique passwords and enabling multi-factor authentication on accounts.
- Requiring strong passwords at the administrative level and blocking widely known, easily guessed login/password combinations will help protect against the password spraying approach.
More from MediaFeed:
- The best collectible guns for investors
- The odd & elaborate final meals of notorious criminals
- Fun secrets about Disney parks
Like MediaFeed’s content? Be sure to follow us.
The biggest scams in America
Featured Image Credit: nndemidchick / istockphoto.