Password spraying is type of cyberattack that takes advantage of users’ common, weak, and easily-guessed passwords. Instead of traditional brute-force attacks that generally target a single account with as many possible password combinations as possible, password spraying attacks involve brute-forcing a large number of accounts using a single password that the malicious actor knows to be statistically existent. Therefore, anyone reusing passwords is at significant risk to password spraying attacks. Even worse if they are using a weak and reused password.

Signs of password spraying attacks.

• Large number of login attempts.
• Large number of account lockouts due to attempted logins.
• Logins reported from unusual geographical locations.
• Suspicious usernames that do not belong to existing users.

Certain factors make the likelihood of a password spraying attack more likely:

• Organization has a history of users using weak passwords that are easy to guess.
• End users have a bad habit of reusing the same weak passwords for multiple accounts.
• Lack of proper password deprovisioning policies.
• Too trusting of an environment with end users.

Methods of password spraying prevention.

• Firstly, implement strong 2FA at the computer level and website level.
• Next, limit the number of login attempts for all accounts.
• Enforce long and difficult-to-guess passwords for all computer, web, and desktop application accounts.
• Do not use common words from the dictionary in passwords.
• Prohibit password sharing.
• Prohibit password reuse / password recycling.
• Implement a password manager to automate passwords for all employees.
• Utilize a tool to automate the changing and sharing of passwords.
• Also utilize a tool to automate the locking of computers to prevent unauthorized access.
• Use a physical-based factor to login such as a hardware token to minimize the potential attack vectors by cybercriminals.
• Actively monitor the network for unusual activity.
• Set up alerts to warn IT admins of suspicious login events/attempts.
• Enforce cyber security training for all end users.
• Lastly, create a culture around cybersecurity awareness.

Security key for stronger security.

A study by Google research and several universities determined that no users that exclusively used security keys for 2FA fell victim to targeted phishing during the investigation. Security keys are markedly more effective for 2FA than other methods including SMS text, on-device prompt, last sign-in location, phone numbers, and email addresses. Therefore, anyone looking for solid security should consider a hardware-based cybersecurity approach.

GateKeeper™ Proximity is the ideal solution for network-wide password spraying prevention at multiple levels including physical computer access, web login, and desktop applications using proximity-based continuous 2FA. Therefore, no passwords for users to type and a central Hub for admins to instantly provision and deprovision keys, users, passwords, and computer access. Turbocharge security against password spraying and other cyber attacks with passwordless 2FA.