All Sprays Aren't Ultra Sheen™

Laziness Leads To A Bad Password Day

At one level or another many people fall into the bad practice of password reuse and typically the password is an easily guessable one or, worse yet, has been previously compromised during a data breach.

It's the length, not the strength.

The InfoBro

 I Need A Pick For These Locks

 Threat actors use archives of previously compromised accounts to engage in an attack methods called "Password Spraying" along with "Credential Stuffing." Used together these present a powerful strategy for large scale compromises. Think about this. Any other sites that the same credentials have been shared with are subject to compromise with the breached credentials. This other site could potentially be used to obtain further information for targeting other accounts and sites, gathering the email addresses of friends, and for further relationships.

Password Spraying is a type of brute-force attack. Instead of trying to guess many passwords over and again on a single targeted account login for a single site, risking detection by causing account lockouts, spraying spreads the attack over time and among many sites by just trying one or two guesses or using compromised credentials associated with the account before moving on to do the same at a new site. Combined with stuffing the most important aspect of this is that the threat actor can do this for a large cache of accounts, unless the provider has some additional manner of detection and mitigation, while avoiding those overt tactics and detection.

Condition Yourself For Protection

So what do you do to mitigate for these threats? What's the direction for the protection? You will have to condition yourself for some changes in your normal practices. You've got to put in the work and make it natural. Start by taking a look at how you decide on a password and how to logon for any existing or new account. Plan a date certain to go through all of your accounts and ensure that you are not reusing the same weak password: less than eight characters, dictionary words, no special characters like '%' and '+', dates and names, etc. Don't do that, that's the lowest of all hanging fruit. The most important thing about a password to remember is that it's the length not the strength. In other words password complexity matters, but not as much as how long it is.  In fact, if you can, try using a passphrase instead.  Also, remember the Zero-Trust Architecture could enable access without relying on any passwords at all, with greater security.

The Bottom Line

If you are reusing passwords you should stop. Mutli-step authentication is another good option to exercise if you can do it. As far as coming up with and managing passwords, there are a plethora of free and cheap alternatives that will serve you well. Many anti-virus solutions also include password managers that will also synchronize between all of our devices. Make a time. Get to work, you'll be glad you did the next time that your favorite web site gets breached.

Stay safe, vigilant and unpredictable. Subscribe.