infoSource is a cybersecurity newsletter. By subscribing to infoSource you will remain up-to-date on the latest in communication, computer and software cybersecurity issues.

All Sprays Aren't Ultra Sheen™

Laziness Leads To A Bad Password Day

At one level or another many people fall into the bad practice of password reuse and typically the password is an easily guessable one or, worse yet, has been previously compromised during a data breach.

It's the length, not the strength.

The InfoBro

When there is a website or online service account breach people often think of credit card, bank account and other personal information having been compromised. Very often the password information is also breached leading to a responsible company notifying its users of the compromise of credentials with advice, or a requirement, to perform an update.

An important concept to keep in mind is that if you have reused your credential on another site, any more than one, you're giving the threat actor one more opportunity to access your information, or identity and assets($$).

 I Need A Pick For These Locks

 Threat actors use archives of previously compromised accounts to engage in an attack methods called "Password Spraying" along with "Credential Stuffing." Used together these present a powerful strategy for large scale compromises. Think about this. Any other sites that the same credentials have been shared with are subject to compromise with the breached credentials. This other site could potentially be used to obtain further information for targeting other accounts and sites, gathering the email addresses of friends, and for further relationships.

Password Spraying is a type of brute-force attack. Instead of trying to guess many passwords over and again on a single targeted account login for a single site, risking detection by causing account lockouts, spraying spreads the attack over time and among many sites by just trying one or two guesses or using compromised credentials associated with the account before moving on to do the same at a new site. Combined with stuffing the most important aspect of this is that the threat actor can do this for a large cache of accounts, unless the provider has some additional manner of detection and mitigation, while avoiding those overt tactics and detection.

Condition Yourself For Protection

So what do you do to mitigate for these threats? What's the direction for the protection? You will have to condition yourself for some changes in your normal practices. You've got to put in the work and make it natural. Start by taking a look at how you decide on a password and how to logon for any existing or new account. Plan a date certain to go through all of your accounts and ensure that you are not reusing the same weak password: less than eight characters, dictionary words, no special characters like '%' and '+', dates and names, etc. Don't do that, that's the lowest of all hanging fruit. The most important thing about a password to remember is that it's the length not the strength. In other words password complexity matters, but not as much as how long it is.  In fact, if you can, try using a passphrase instead.  Also, remember the Zero-Trust Architecture could enable access without relying on any passwords at all, with greater security.

The Bottom Line

If you are reusing passwords you should stop. Mutli-step authentication is another good option to exercise if you can do it. As far as coming up with and managing passwords, there are a plethora of free and cheap alternatives that will serve you well. Many anti-virus solutions also include password managers that will also synchronize between all of our devices. Make a time. Get to work, you'll be glad you did the next time that your favorite web site gets breached.

Stay safe, vigilant and unpredictable. Subscribe. 

Stay Informed

When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.

Can we stop saying Zero-day?
What Is Zero Trust?

Related Posts



No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Sunday, 16 June 2024

Contact Me


1309 S Street S.E., Washington, DC, 20020
00 1 202-276-8641

Send Me a Message

Contact Me