How to Protect Yourself Against Password Spraying Attacks


Bad cyber actors are what we like to call the modern day “try-hards”. They’ll try anything to gain access to your accounts. The new method they like to use is called password spraying. If you’ve never heard of it, this blog will explain what it is and offers tips on how to avoid it. 

It’s clear that hackers test a slew of different username and password combinations. This type of assault is well-known to web security companies. It’s why you get locked out of your account if you repeatedly enter the wrong password. 

This is where password spraying comes into play. The cyber crooks have found a way around the three-tries-and-you’re-out defense. Instead of them trying one username with a lot of different passwords, they use one password and many different usernames. 

It has become too easy. The attackers find your staff by checking your company’s public database. Either the attacker steals usernames like john@yourcompany.com, james@yourcompany.com and jamal@yourcompany.com or buys a whole list from the Dark Web. After that, they test a variety of widely known passwords on each of the victims. 

Throughout the world, many people still use passwords like “123456,” “12345,” and “password.” So, it’s not that difficult for a hacker to use one of these common variations to gain access to a system. 

In these attacks, they try each “wrong” password against a long list of usernames before moving on to the next. Once they’re through with the list of users with the “abc123” password, enough time has passed to avoid the lockout. The hacker can then try a different password with the same list of available users. 

What to do in the event of a password spraying incident 

Starting with the most obvious, don’t use any of the most commonly used passwords. You may not believe people still use passwords like this, but in the year 2021, the “123456” password had over 3.5 million uses. Second place went to “password,” with 1.7 million reported users. It takes seconds to crack these passwords. 

Therefore, use more complex passwords wherever possible. This doesn’t mean you have to put in seven digits with six symbols, and three capital letters. Instead, use a long password that’s easy to remember. The National Institute of Standards and Technology (NIST) recommends that longer is better. 

When a user initially logs into a new application, IT administrators have the option to force them to change their passwords. NIST also recommends comparing all new passwords against a compromised list of passwords. 

It also helps to use multi-factor authentication. In order to complete this process, it requires authentication and access credentials. In this scenario, sending a text code or using an authentication app is best. 

Finally, segment your networks. It allows users to access only the resources they require. Restricting user access minimizes damage if there is a breach. 

Incorporate password security best practices into your organization. 

There are many other ways to protect your identity online and secure the data on your residential computers. Contact our IT experts today.

Click here to schedule a free 15-minute meeting with Stan Kats, our Founder and Chief Technologist. 

STG IT Consulting Group proudly provides IT Service in Greater Los Angeles and the surrounding areas for all of your IT needs. 

We look forward to meeting with you!