There are many reasons why having a simple password is a bad idea, but one of the newest ones is that it can put you at risk of falling victim to a brute-force attack known as password spraying. While the hackers that conduct password-spraying attacks target businesses instead of individual consumers, there’s still plenty of opportunity for headaches if one of your accounts becomes compromised as part of a password-spraying spree.
Here, we’ll explore what password spraying is, who it affects the most, and the best ways to prevent it from happening.
What is Password Spraying?
Simply put, password spraying happens when a cybercriminal attempts to log into multiple accounts with one password. They’ll often use the most common, low-effort passwords like “password” or “123456” for example. “Spraying” refers to their tactic of trying out a password on as many different accounts as possible – which could be thousands or millions of accounts connected to a business.
While you can consider password spraying as a form of brute-force attack, it doesn’t involve trying out multiple different passwords on one account. These criminals typically target organizations that set a default password which employees or customers have to update once they’ve used it to log in. They also often target cloud-based platforms (where you might be using weak passwords for ease of use). Password spraying is therefore a simple, but effective tactic for scammers to gain access to thousands of accounts at once.
How Password Spraying Works
There are typically a few different stages to a password spraying attack. Firstly, cybercriminals tend to buy credentials such as account usernames or organization emails that have been leaked to the dark web.
Once they’ve obtained your credentials, they’ll then source a list of common passwords. Finally, they’ll try out these passwords across the multiple accounts that they’ve sourced from either the deep web or other sites, until they find a combination that works.
If they find a combination that works, they can then gain access to your sensitive data. This can include financial information or confidential information like your social security number. They can then use that financial and confidential information to make fraudulent transactions, or even steal your identity.
Signs You Might Be Affected By Password Spraying
If you’re not a business, then you might not be actively monitoring the signs of a password-spraying attack. However, if you’re a member of an organization or website, they might inform you of a password spraying attack if they spot one happening. Here are some key signs of a password-spraying attack:
- There is a general spike in failed login attempts by active users or at a particular time;
- There is a spike in logins at a specific time;
- There is a spike in logins from inactive accounts.
On your end, you might receive notifications or emails saying that someone has tried to access your account from an unknown device or location. Unlike other kinds of brute-force attacks, however, password spraying does not typically involve repeated attempts to log in to one user account.
How to Prevent Password Spraying
Thankfully, there are plenty of ways that organizations and individuals can protect themselves against password-spraying attack opportunities. Here are some solutions below:
Create a Strong Password
While strong passwords can be difficult to remember, there are tips for creating memorable ones, such as using mnemonic devices or a secure third-party password manager. In addition to being memorable, strong passwords are typically 12 to 14 characters long and include a combination of numbers and symbols, lowercase letters, and uppercase letters.
Need more password ideas to try? Consider picking words or phrases from a favorite song, poem, or book out of context and use them to create a mnemonic.
Enable multi-factor Authentication
More and more, organizations are encouraging their users to enable multi-factor authentication. It’s therefore a great idea to enable both these tools. Some of the measures you can take to protect yourself include:
- Linking your email or phone number with your account and allowing the organization to send a private code via text or email that enables a successful login.
- Adding a secret word or phrase that you can provide in case you forget your password. Like your password, making sure your secret word or phrase isn’t a commonly used one can be incredibly helpful.
Another reason why multi-factor authentication is a good idea is that it protects you against phishing and/or social engineering attacks. This is because even if a criminal has tricked you into giving up your login credentials, they’d still need to provide additional information like a secret code texted to your phone. The name “multi-factor” therefore speaks to the fact that the MFA login process requires several different correct inputs before you can access your count.
Concerned that you might be a target of phishing? Check if someone’s email is connected to a legitimate person using Spokeo’s email lookup tool.
Enable Biometric Verification
Sometimes alphanumeric passwords just aren’t strong enough to beat a multitude of different cybercriminal tactics. While simpler passwords can be picked up by password spraying, more complicated passwords can still be leaked during data breaches to the deep web and sold to cyber criminals. For better security, organizations sometimes introduce biometric verification as a step for logging in.
Different organizations will probably have different forms of biometric verification. You can enable biometric verification by providing:
- Your fingerprint
- A scan of your iris
- Voice recognition
- Facial recognition
One of the reasons why biometric verification is such a strong option is that biometrics like your iris or fingerprint pattern are completely unique, making it much harder to trick. Sometimes, you’ll find a business only introduces biometric verification at certain stages of your customer journey, such as an online payment.
Use a Password Manager
Another great tool to have at your disposal is a password manager. There are many different password managers on the market, so it’s best to choose one with the following options:
- Dark web monitoring to keep real-time track of whether your password has been involved in a data breach.
- Password encryption to keep them safe from cybercriminals. Not all password managers clearly state how they use what’s known as “zero-knowledge” encryption, so it’s a good idea to check this as it’s secure against the kinds of browser extensions cybercriminals use to access your password manager’s stored passwords.
- A password generator that creates strong passwords that are very difficult for cybercriminals to guess or use in a password-spraying attack
Second Guess A Hacker’s Every Move
Finally, it’s good to assume that there’s always a risk of falling victim to cybercrime. That’s because with cybercrime on the rise across the globe – the cost of cybercrime is predicted to reach $9.5 trillion in 2024. As a user, this just means ensuring you’re using the best possible protection when it comes to your login credentials. While biometric verification might slow you down a little, it’s an invaluable tool in adding an extra layer of protection that is difficult for hackers to beat.
How Password Spraying Can Cause Trouble For You
The time and resources it takes to resolve compromised information is no walk in the park. You’ll likely deal with financial losses tied directly to criminal activity, such as reclaiming stolen funds. You might have to file a chargeback to your bank, which could take weeks to resolve. Sometimes, if you weren’t using a service that offers buyer protection, you might find it even harder to get your money back at all. And the worst case scenario: by stealing sensitive data, criminals can also hold you ransom for vast payouts.
Stop Password Spraying Attacks – And Other Types of Fraud
Password spraying is a simple but devastating form of cybercrime that can result in stolen financial information as well as other sensitive information which can lead to issues like identity fraud. Thankfully, the solutions to password spraying attacks are rather simple as well – just make sure that you have a password that follows the rules of “password entropy.” Think unpredictability, using 12 to 14 characters, and a mix of letters, numbers, and symbols.
Stay well away from using common passwords such as “password” or “12345.” Strong passwords can protect you against brute-force attacks in general, and can deter cybercriminals from attempting multiple logins on your account as well.