访问未经授权的帐户的两种最常用的方法是(a)蛮力攻击(Brute Force Attack)和(b)密码喷雾攻击(Password Spray Attack)。我们之前已经解释过蛮力攻击(Brute Force Attacks)。本文重点介绍密码喷雾攻击(Password Spray Attack)——它是什么以及如何保护自己免受此类攻击。
密码喷射攻击定义
密码喷雾攻击与(Password Spray Attack)蛮力攻击(Brute Force Attack)完全相反。在蛮力(Brute Force)攻击中,黑客选择一个易受攻击的 ID 并一个接一个地输入密码,希望一些密码可以让他们进入。基本上(Basically),蛮力(Brute Force)是多个密码仅应用于一个 ID。
对于密码喷雾(Password Spray)攻击,有一个密码应用于多个用户ID(IDs),因此至少有一个用户 ID 被泄露。对于Password Spray攻击,黑客使用社会工程(social engineering)或其他网络钓鱼方法(phishing methods)收集多个用户ID(IDs)。经常发生的情况是,其中至少有一个用户正在使用简单的密码,例如12345678甚至[email protected]。此漏洞(或缺乏有关如何创建强密码的信息)在(create strong passwords)Password Spray Attacks中被利用。
在密码喷射攻击(Password Spray Attack)中,黑客会为他或她收集的所有用户ID(IDs)应用一个精心构建的密码。如果幸运的话,黑客可能会获得一个帐户的访问权限,从那里她/他可以进一步渗透到计算机网络中。
因此,密码喷射攻击可以定义为将相同的密码应用于组织中的多个用户帐户,以保护对其中一个帐户的未经授权的访问。(Password Spray Attack can thus be defined as applying the same password to multiple user accounts in an organization to secure unauthorized access to one of those accounts.)
蛮力攻击(Brute Force Attack)与密码喷雾攻击(Password Spray Attack)
蛮力攻击(Brute Force Attacks)的问题在于,在使用不同密码进行一定次数的尝试后,系统可能会被锁定。例如,如果您将服务器设置为仅接受 3 次尝试,否则会锁定正在登录的系统,系统将仅锁定 3 个无效密码条目。一些组织允许 3 次,而另一些组织则允许最多 10 次无效尝试。如今,许多网站都使用这种锁定方法。这种预防措施是蛮力攻击(Brute Force Attacks)的一个问题,因为系统锁定会提醒管理员该攻击。
为了避免这种情况,收集用户ID(IDs)并为其应用可能的密码的想法被创造出来。对于密码喷雾攻击(Password Spray Attack),黑客也会采取某些预防措施。例如,如果他们尝试将密码 1 应用于所有用户帐户,他们将不会在完成第一轮后立即开始将密码 2 应用于这些帐户。他们将在黑客尝试中留下至少 30 分钟的时间。
防止密码喷洒攻击(Password Spray Attacks)
只要有相关的安全策略,蛮力攻击(Brute Force Attack)和密码喷雾(Password Spray)攻击都可以中途停止。如果忽略 30 分钟的间隔,如果为此做好准备,系统将再次锁定。还可以应用某些其他内容,例如添加两个用户帐户登录之间的时间差。如果只有几分之一秒,请增加两个用户帐户登录的时间。此类策略有助于提醒管理员,然后管理员可以关闭服务器或将其锁定,这样就不会在数据库上发生读写操作。
保护您的组织免受密码喷雾攻击(Password Spray Attacks)的第一件事是让您的员工了解社会工程攻击的类型、网络钓鱼攻击以及密码的重要性。这样员工就不会为他们的帐户使用任何可预测的密码。另一种方法是管理员为用户提供强密码,解释需要谨慎,以免他们记下密码并将其粘贴到他们的计算机上。
有一些方法可以帮助您识别组织系统中的漏洞。例如,如果您使用的是Office 365 Enterprise,您可以运行Attack Simulator以了解您的任何员工是否使用了弱密码。
阅读下一篇(Read next):什么是域前置(Domain Fronting)?
Password Spray Attack Definition and Defending yourself
The two most commonly used methods to gain access to unauthorized accounts are (a) Brυte Forcе Attack, and (b) Password Sprаy Attack. We have explained Brute Force Attacks earlier. This article focuses on Password Spray Attack – what it is and how to protect yourself from such attacks.
Password Spray Attack Definition
Password Spray Attack is quite the opposite of Brute Force Attack. In Brute Force attacks, hackers choose a vulnerable ID and enter passwords one after another hoping some password might let them in. Basically, Brute Force is many passwords applied to just one ID.
Coming to Password Spray attacks, there is one password applied to multiple user IDs so that at least one of the user ID is compromised. For Password Spray attacks, hackers collect multiple user IDs using social engineering or other phishing methods. It often happens that at least one of those users is using a simple password like 12345678 or even [email protected]. This vulnerability (or lack of info on how to create strong passwords) is exploited in Password Spray Attacks.
In a Password Spray Attack, the hacker would apply a carefully constructed password for all the user IDs he or she has collected. If lucky, the hacker might gain access to one account from where s/he can further penetrate into the computer network.
Password Spray Attack can thus be defined as applying the same password to multiple user accounts in an organization to secure unauthorized access to one of those accounts.
Brute Force Attack vs Password Spray Attack
The problem with Brute Force Attacks is that systems can be locked down after a certain number of attempts with different passwords. For example, if you set up the server to accept only three attempts otherwise lock down the system where login is taking place, the system will lock down for just three invalid password entries. Some organizations allow three while others allow up to ten invalid attempts. Many websites use this locking method these days. This precaution is a problem with Brute Force Attacks as the system lockdown will alert the administrators about the attack.
To circumvent that, the idea of collecting user IDs and applying probable passwords to them was created. With Password Spray Attack too, certain precautions are practiced by the hackers. For example, if they tried to apply password1 to all the user accounts, they will not start applying password2 to those accounts soon after finishing the first round. They’ll leave a period of at least 30 minutes among hacking attempts.
Protecting against Password Spray Attacks
Both Brute Force Attack and Password Spray attacks can be stopped midway provided that there are related security policies in place. The 30 min gap if left out, the system will again lock down if a provision is made for that. Certain other things also can be applied, like adding time difference between logins on two user accounts. If it is a fraction of a second, increase timing for two user accounts to log in. Such policies help in alerting the administers who can then shut down the servers or lock them down so that no read-write operation happens on databases.
The first thing to protect your organization from Password Spray Attacks is to educate your employees about the types of social engineering attacks, phishing attacks, and the importance of passwords. That way employees won’t use any predictable passwords for their accounts. Another method is admins providing the users with strong passwords, explaining the need to be cautious so that they don’t note down the passwords and stick it to their computers.
There are some methods that help in identifying the vulnerabilities in your organizational systems. For example, if you are using Office 365 Enterprise, you can run Attack Simulator to know if any of your employees are using a weak password.
Read next: What is Domain Fronting?