Password spraying attacks means you need a better password strategy now

Those of you in tech have probably used or heard of Citrix. The company has been around for decades and sells a variety of products, including remote desktops and network security. It is ironic that they experienced a security breach across their internal corporate network: the breach began last October and was only discovered in March. A series of internal business documents were stolen as a result of this breach. Think about that for a moment: if a network security company can’t detect hackers living inside their network for months, how can mere mortals do it?

The company recently concluded its investigation and to its credit has been very transparent about its process. They hired FireEye to analyze its logs and have since updated their endpoint protection with its product. This post describes what Citrix is doing to tighten its security, and how it has put together a committee to help govern security going forward. That is great. The post concludes by saying, “we live in a dynamic threat environment that requires a culture of continuous improvement.” Very true.

But what I want to call your attention to is how this breach initially happened, and that is through an attack called password spraying. This is a very simple attack: you start with a list of login IDs and pair them with a series of common passwords until you find a pair that works. The link above has suggestions of how to use common tools to help determine your own exposure, and if you are new to this term you should spend some time learning more about it.

But even if you aren’t part of a corporate IT department, it is high time for you to change your own personal password policy. It is likely that you are using a common password somewhere across your many logins. This isn’t the first time I have made this recommendation. But if a IT vendor that sells security products can get attacked, it means that anyone is vulnerable. And if your password can be easily found (such as in Troy Hunt’s HIBP database), then you need to be concerned. And you need to start by using a password manager and change your passwords to something complex and unique enough. Now. Today.

4 thoughts on “Password spraying attacks means you need a better password strategy now

  1. It is worth noting that the modern view of “complex and unique” is quite different from the password guidance of 20 years ago. For example, use of special characters, and the like, is now discouraged. This is due both to a better sense of the mathematics of passwords and the usability (human factors). (Oddly, use of special characters sometimes /reduces/ protection!)

    So ‘complex’ does not have to mean it is obscure for the user, only for the attacker. A really good password might be easy for the user to remember, but unlikely to the attacker.

    The simple version of this is to type a phrase pertaining to a moment in your life. Maybe make small changes to it – such as leaving off some initial and/or ending characters. Lots of bits, not obviously guessable to an attacker, but easy for you to remember.

  2. Pingback: Password Spraying – While Busy Making Other Plans …

Leave a Reply to dstrom Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.