SoylentNews is people
SoylentNews is powered by your submissions, so send in your scoop. Only 15 submissions in the queue.
SoylentNews
Submitted via IRC for AndyTheAbsurd
The DHS recently issued a warning against the use of common and or easily guessed passwords after several government agencies have been targeted by "password spray" attacks.
It seems that the world outside of technologists will never listen to advice regarding strong passwords, not reusing passwords, not writing passwords down, etc. If you're an administrator and have the ability to do so - for the love of Dog, please enable TOTP (https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm) or something similar - and remember that SMS is far too easy to spoof to be considered a secure method of delivering one-time passwords."
Source: SC Magazine
This discussion has been archived.
No new comments can be posted.
DHS Warns Against “Password Spray” Brute Force Attacks
|
Log In/Create an Account
| Top
| 30 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
* m2 stares at the monitor... it looks like a hamburger...
m2 - that's a bad sign
(Score: 2, Insightful) by RandomFactor on Sunday May 12 2019, @02:47PM
This is a common tactic to get a foothold.
They aren't trying to beat someone that uses a serious password, or get straight into an admin account or restricted system, they are just looking for any way in. Once they have that, then they can scan and escalate and move laterally.
So the bad guys starts with a list of usernames (email address work often enough, which may be trivial to acquire)
Then, rather than attempting to break one user account with decillions of combinations (which would typically be detected and stopped automatically after half a dozen attempts), just try the statistically most likely password ONE TIME against each account. This gives thousands or tens of thousands of attempts that ONLY COUNT AS ONE FAILURE to older detection algorithms that watch individual accounts. Then wait a couple of days and try another one. The user of the account will generally log in and clear the count long before it is locked locked out.
Sooner or later this nets a lazy account (or more likely a number of them) and it is off to the races.
.
.
In the corporate world they do things to protect at the edge like:
- Multi Factor Authentication (MFA), a base requirement on any internet facing entry point
- Front end user logins with solutions that monitor for this type of unusual login activity (Cloud Access Security Broker/CASB)
.
.
In a home environment it is less common for those sorts of controls to be available, but there are other common options (the more the better, and not an exhaustive list):
- get Keepass or other password manager. Start using randomized passwords. It's still a bit annoying, but you get used to it.
(SERIOUSLY. Password reuse by joe sixpack is why all those password breach notifications every.single.day matter.)
- standard NAT Router between you and the internet (mostly if you have a home network, you have this already)
- Disable scripts and ads in your browser
- Do risky, or even normal browsing from a VM, reset it periodically
- Run antivirus (plenty of free ones that automatically update)
- Switch to Linux (e.g. Mint). It works fine for everyday stuff for anyone that is even a little computer savvy.
- Backup your important stuff, pictures, passwords, financials, Turbotax files that sort of thing. (to an external drive you unplug afterwards, modern ransomware will look around you network and encrypt everything on accessible NAS drives also)
Feel free to add on ;-)
В «Правде» нет известий, в «Известиях» нет правды