Protect Yourself and Your Firm Against Password Spray Attacks

Download a PDF of the alert

Risk Management Question

What are "password spray" attacks and what cybersecurity measures do lawyers need to take to defeat them?

The Issue

A standard cybersecurity measure, referred to as access control, is to lock a person out of the network after four or five unsuccessful log-in attempts. In order to bypass this security control, hackers have adopted a new tactic called a "password spray" attack. Password spraying involves the collection of a large number of user names at a particular firm or business and spraying a single password against this group of user names in an attempt to gain access. Hackers can repeat a spraying attack two or three times without triggering the network's access control security. To gain access to a network, hackers only need to find one person who uses a common or weak password.

Hackers use lists of commonly used and weak passwords found on the dark web. There are a variety of resources for enterprise security leaders listing the most commonly used passwords to avoid. Here's one such list: https://www.securitymagazine.com/articles/89694-the-top-100-worst-passwords.

Using passwords like those mentioned makes your firm or business susceptible to a password spray attack and makes you personally vulnerable to getting hacked and having your identity stolen. You should never use a weak or commonly used password to gain access to your firm's network.

Hackers know that many people default to references to local sports teams, so using passwords like Diamondbacks2018, WhiteSox2019, Timberwolves1, Blackhawks2, Raiders2020, or ChicagoBears! will also make you and your firm or business vulnerable to password spray attacks. Hackers know many people also use celebrity names, which is why the password "Donald" debuted on the list of 100 worst passwords to use in 2018.

Risk Management Solution

• Never use any of the passwords in the list provided above, or that have similar characteristics.
• Think passphrases, not passwords.
• The longer your passphrase (or password) the better.
• Avoid using the name of any family member or your pet. If a hacker is targeting you they will know these names and will exploit that information.
• Avoid using one of the seasons of the year (Winter2019).
• If the application allows it, consider using the space bar in drafting the passphrase: Feed the dog at 5:00.
• Choose a phrase that is memorable. It could be a phrase or a line from a movie, a poem or a speech.

Your password is your first line of defense against getting hacked. Choose your passwords carefully, and remember to be careful out there.