How password spraying works
Password spraying is also known as key spraying. It is similar to brute force, but it has an important difference: in this case, what is tested many times is the username in order to access a specific account.
It is common to see attempts to access an account through brute force. It consists of an intruder knowing which user to access, but not the password. For example, you can find out what the e-mail address is and start trying thousands of passwords until you find the correct one. The same would happen if they know what the username of Facebook or any other service is.
Now, what difference does it make to password spraying? In this case, the attacker knows what the password is, but does not know which user it belongs to. Let’s say the password of an Internet forum, a social network or any online application has been leaked. They know that that password belongs to some user, but they don’t know what the login name is.
What they do in this case is try one after another the multiple combinations of usernames until you find the right one. It could even happen that they have a list, a database, with all the usernames and they just have to go testing.
Simple keys make password spraying easy
No doubt the use of weak passwords it is what facilitates these types of attacks. We have ever talked about which are the most common keys and, although it seems strange, they are still the typical 123456, 12341234 and the like. That is a major problem.
What exactly happens? Let’s think of an account on Facebook, Netflix or any other platform. In all likelihood someone will be using one of those passwords generic and simple that we have mentioned. The only thing the attacker would need is to know the username that will correspond to that key.
So what they do is try many usernames. They may or may not have a list of all of them, as they could just try the more general names as well. A brute force attack, basically, although different from what we are used to.
Especially this problem appears in confined environments. For example we can think of a small company. Let’s say that for some reason a password has been leaked. An attacker knows that this key is used by some worker, but does not know the exact name. You may, on the other hand, have a list of possible usernames. As there are not too many possibilities, it will be more successful than if it is, for example, a social network like Facebook.
How to Avoid Password Spraying Attacks
So what can we do to prevent password spray attacks? We are going to give some important tips to protect our passwords and avoid unwanted access to our accounts. Some essential recommendations that we must put into practice in any service where we are registered.
The first and most important thing is protect passwords. We have seen what key spraying consists of and to carry out this type of attack you will need to know the password. So we must create one that is strong and complex and protect it.
What would a good password look like? It must be totally random, only and contains letters (both uppercase and lowercase), numbers, and other special symbols. For example, a good key would be one of the type 3Di8% $ – fHu672-D. As we can see, we add a little of everything and it has a considerable length.
But regardless of the key we choose, it is important protect her. For example, we must change it periodically, as well as maintain equipment security. One method of stealing passwords is through keyloggers. If we have a good antivirus, such as Windows Defender, Avast or Kaspersky, to name some of the most important, we can prevent the entry of this type of malicious software.
Use two-step authentication
Another very important question is that of power enable two-step authentication. This is something that is increasingly present and we can see it in services such as Amazon, Skype, Facebook … Basically it consists of adding an extra layer of security. In case an intruder knows what the password is, they would need a second step to enter.
That second step is usually a code that we receive by SMS, e-mail or even through applications such as Google Authenticator. If we are victims of password spraying and someone manages to figure out the username and password, they would not be able to enter because they would need something else.
Therefore, this is very interesting for increase protection from any account. We must keep it in mind and activate it whenever possible. It is one of the best security measures we can implement.
Avoid exposing personal data
Of course we must also prevent our data from being exposed on the net. For example, we must avoid exposing information that can be used to find out the username to enter email or any social network.
Sometimes we make information on the Internet available to anyone without realizing it. For example when we publish a message in an open forum, public data on social networks or even a comment on an article on any web page. All of this can be registered by bots and later used to carry out attacks.
In short, password spraying is a major problem that can put our keys at risk. It is important that we are protected and that we know how they can act against us and prevent them from entering our personal accounts.