Skip navigation

Gloucestershire Business News

Business expert: Password spraying attacks - more common than you think

By David Woodfine, director at Cyber Security Associates 

Keeping passwords safe, secure and changed regularly are 'cyber tips' most people hear on a frequent basis.

But despite this many users, both at work and home, continue to use basic and simple passwords for multiple accounts.

The National Cyber Security Centre (NCSC) recently reported that one common way that online accounts are breached is through password spraying. This is simply where a small number of common passwords are used to brute force large numbers of accounts. These attacks can be very successful because for any given large set of users there will likely be some who are using very common passwords.

The NCSC reported that:

• 75% of the participants' organisations had accounts with passwords that featured in the top 1,000 passwords

• 87% had accounts with passwords that featured in the top 10,000

This data suggests that password spraying attacks are likely to have some success against these organisations, and many other organisations across the UK. Whilst account lockout policies may limit attackers to trying (for example) 10 passwords against a single account per day, the account lockout counters usually reset over time. This allows persistent attackers to try more passwords, and they can (and do) end up trying hundreds or even thousands of common passwords.

Password complexity doesn't guarantee that passwords will be more difficult for attackers to break, but it usually does make them harder for users to remember - which can lead to weaker passwords and more password reuse overall.

So instead, users should be encouraged to disable complexity requirements and adopt other strategies such as 'three random words'. However, this means that the onus is now even more on users to pick 'good' passwords (that is, passwords that cannot easily be guessed).

Fortunately, there are actually a variety of approaches organisations can take to mitigate these attacks, and the number of available options is growing regularly.

As a starting point, Cyber Security Associates recommends making sure that you do some of the following:

• One of the most effective approaches to stopping these attacks is to prevent users from using common passwords in the first place.

• Consider using outsourced protective monitoring over externally-reachable authentication endpoints to look for password spraying attacks.

• Enforce multi-factor authentication on your externally-reachable authentication endpoints.

• Provide pragmatic advice and training to users on how to choose 'good' passwords.

Are you in need of comprehensive cyber security advice, guidance and managed services for your business? Click here, email info@csa.limited or call 01452 886982 for more information.

Subscribe to Punchline

Related Articles

Tewkesbury firm making parts for fighter jet flies into storm Image

Tewkesbury firm making parts for fighter jet flies into storm

With an otherwise low-profile county-wide a Gloucestershire firm which makes circuit boards for the F-35 warplanes has found itself in media searchlights over its ownership.

WARNING: Overnight closure on Eastern Avenue Image

WARNING: Overnight closure on Eastern Avenue

Gloucestershire County Council highways crews will be resurfacing one of the major arterial routes in and out of Gloucester at the end of the month.

Energy tycoon confident new football stadium will be built Image

Energy tycoon confident new football stadium will be built

The man behind the rejected bid to build a 5,000-seater football stadium in Gloucestershire said he will give planners a ‘second chance’ to make the right decision.

Fourth consecutive win for Gloucester company at major national awards Image

Fourth consecutive win for Gloucester company at major national awards

Gloucestershire-based retailer, ProCook, is celebrating winning Best Multichannel Retailer in the £15-30m category at the Direct Commerce Awards.

Copyright 2019 Moose Partnership Ltd. All rights reserved. Reproduction of any content is strictly forbidden without prior permission.