Access codes are the main security barrier that prevents intruders from entering our social media accounts, email or any service. This causes hackers to set their sights here and find a way to steal them. There are different and very different methods. In this article we are going to explain what password spraying is . We are going to see what it is and we will also give advice to avoid being victims and protect ourselves.
How password spraying works
Password spraying is also known as key spraying . It is similar to brute force, but it has an important difference: in this case what is tested many times is the username in order to access a specific account.
It is common to see attempts to access an account through brute force . It consists in that an intruder knows which user is to access, but not the password. For example, you can find out what the e-mail address is and start trying thousands of passwords until you find the correct one. The same would happen if they know what the username of Facebook or any other service is.
Now, what difference does it make to password spraying? In this case, the attacker knows what the password is, but does not know which user it belongs to. Let’s say that the password of an Internet forum, a social network or any online application has been leaked. They know that that password belongs to some user, but they don’t know what the login name is.
What they do in this case is to try the multiple combinations of user names one after another until they find the correct one. It could even happen that they have a list, a database, with all the user names and they just have to go testing.
Simple keys make password spraying easy
Undoubtedly the use of weak passwords is what facilitates this type of attack. We have ever talked about which are the most common keys and, although it seems strange, they are still the typical 123456, 12341234 and the like. That is a major problem.
What exactly happens? Let’s think of an account on Facebook, Netflix or any other platform. In all likelihood someone will be using one of those generic and simple passwords that we have mentioned. The only thing the attacker would need is to know the username that will correspond to that key.
So what they do is try a lot of usernames . They may or may not have a list of all of them, as they could just try the more general names as well. A brute force attack, basically, although different from what we are used to.
Especially this problem appears in confined environments . For example we can think of a small company. Let’s say that for some reason a password has been leaked. An attacker knows that this key is used by some worker, but does not know the exact name. You may, on the other hand, have a list of possible usernames. As there are not too many possibilities, it will be more successful than if it is, for example, a social network like Facebook.
How to Avoid Password Spraying Attacks
So what can we do to avoid password spray attacks ? We are going to give some important tips to protect our passwords and avoid unwanted access to our accounts. Some essential recommendations that we must put into practice in any service where we are registered.
Protect passwords
The first and foremost thing is to protect passwords . We have seen what key spraying consists of and to carry out this type of attack you will need to know the password. So we must create one that is strong and complex and protect it.
What would a good password look like? It must be totally random , unique, and contain letters (both uppercase and lowercase), numbers, and other special symbols. For example, a good key would be one of the type 3Di8% $ – fHu672-D. As we can see, we add a little of everything and it has a considerable length.
But regardless of the key we choose, it is important to protect it . For example, we must change it periodically, as well as maintain equipment security. One method of stealing passwords is through keyloggers. If we have a good antivirus, such as Windows Defender, Avast or Kaspersky, to name some of the most important, we can prevent the entry of this type of malicious software.
Use two-step authentication
Another very important issue is being able to activate two-step authentication . This is something that is increasingly present and we can see it in services such as Amazon, Skype, Facebook … Basically it consists of adding an extra layer of security. In case an intruder knows what the password is, they would need a second step to enter.
That second step is usually a code that we receive by SMS, e-mail or even through applications like Google Authenticator. If we are victims of password spraying and someone manages to figure out the username and password, they would not be able to enter because they would need something else.
Therefore, this is very interesting to increase the protection of any account. We must keep it in mind and activate it whenever possible. It is one of the best security measures we can implement.
Avoid exposing personal data
Of course we must also prevent our data from being exposed on the network . For example, we must avoid exposing information that can be used to find out the username to enter email or any social network.
Sometimes we make information on the Internet available to anyone without realizing it. For example when we publish a message in an open forum, public data on social networks or even a comment on an article on any web page. All of this can be registered by bots and later used to carry out attacks.
In short, password spraying is a major problem that can put our keys at risk. It is important that we are protected and that we know how they can act against us and prevent them from entering our personal accounts.
