Learn about Password Spray Attacks

65

Despite many people screeching for online security, big tech companies are still allowing their users to utilize basic passwords as logins. This includes companies like Netflix, Wikipedia, Reddit and Amazon which allow simple credentials like a surname, date of birth or the email username as access IDs to their online services.

In the past two years, several companies were found blaming users for using bad passwords which makes them vulnerable to cyber threats such as brute force and password spray attacks.

A Brute force attack is where hackers choose vulnerable usernames and enter random passwords one after the other hoping some pwd might click. As it is done through software, the activity gets automated and the results can be obtained within a few minutes.

Coming to a Password spray attack, one password is applied to multiple accounts used by a user in a hope that at least one of the UserID gets compromised. In both the cases, the cyber crooks start off with passwords which are easy to break.

Steven Furnell, a professor at the University of Plymouth has been keeping a tab of top sites and their passwords habits from the past 11 years. He found that the situation in 2018 hasn’t changed and the overall story remains similar to that of 2007.

Furnell feels that the website developers and managers of the internet giants did not change their attitude in these years as they are more focused on making the web portals usable than adding in-depth security.

Experts suggest that the best way to curb password spraying attacks is to educate users from using the same & common passwords while gaining access to online services. If the users know the results of their faulty passwords practices, then it will be easy to mitigate and impose a cut down on password spraying attack.

Authorities from the US FBI and DHS have already issued a warning to network managers working around the world on this issue and have urged them to ramp up their security skills against hacking techniques that are seen exploiting single sign-on and federated authentication protocols.