Are your online accounts safe from password spraying attacks?

In the digital age, the security of our online accounts hinges on the strength of our passwords.

Despite the implementation of security measures to deter unauthorized access, hackers have developed techniques, such as 'password spraying,' enabling them to attempt millions of password combinations without triggering lockouts.

The Notorious 'Password Spraying' Attack

'Password spraying' is a common attack vector that involves systematically trying a set of common and personalized passwords across multiple accounts.

By using easily guessable passwords, such as 'iloveyou' and 'password123,' along with personalized ones like 'firstname123' and email aliases, hackers aim to gain unauthorized access to accounts across various platforms.

Absolute Attempts vs. Relative Attempts

The ability of hackers to attempt millions of password combinations without triggering lockouts is contingent on the password attempt limiting mechanisms employed by targeted systems.

Two prevalent approaches include:

Absolute Attempts

Some systems adhere to an absolute attempts policy, where a fixed number of failed login attempts, irrespective of the source, results in an account lockout.

For instance, if a user tries to sign in from different devices and surpasses the predetermined limit, the account is subject to a lockout, a security feature common in high-security financial applications.

Relative Attempts

On the other hand, systems that employ relative attempts may lock out the device used for the erroneous login attempts while sparing the entire account from being locked.

This distinction provides hackers with the flexibility to navigate through multiple devices to conduct their password spraying attacks, evading account lockouts in the process.

Are your online accounts at risk of falling prey to password spraying attacks, and how can you protect them?