Multifactor authentication completely defeats password-spray attacks by requiring possession of a preregistered device. A spray attack might stumble across a valid username/password combination, but that information is useless without access to the user’s smartphone or authentication token. Improve Password Policies Most agencies already have strong password policies that require the use of complex, lengthy passwords. Many also prohibit the use of dictionary words.
Agencies can further strengthen these policies by prohibiting the use of any passwords that appear on a list of commonly used passwords. This technique isn’t 100 percent effective, but it does slow down password-spray attacks.
MORE FROM FEDTECH: Find out where to turn when the cybersecurity hiring well runs dry.
Educate Federal Employees About Password Reuse
Password reuse is one of the gravest threats to systems that depend on password authentication. Agencies can implement extremely strong password policies, but those policies are only effective if users don’t compromise their passwords in other ways.
There are no technical controls to prevent a user from using the same password for their agency account and their personal email account or website login. The only way to mitigate this threat is to educate employees about the perils of reusing passwords and encouraging the use of secure password managers, which maintain unique passwords across many different accounts.
MORE FROM FEDTECH: See how CISA is establishing itself in the federal cybersecurity realm.
Monitor Agency Authentication Systems
Password-spray attacks are not subtle. They are noisy, brute-force attacks that should be immediately apparent to anyone watching agency authentication systems. Unfortunately, these systems often go unmonitored, allowing attacks to continue for hours or days before analysts notice and block the source of the attack.
Agencies should create automated alerts that immediately notify cybersecurity professionals of an increased rate of password authentication failures. Security information and event management systems may also block future authentication attempts from IP addresses that exceed a predefined threshold.
Password-spray attacks are dangerous and threaten to compromise the security of any agency that depends only on passwords to secure its authentication systems. Agency leaders seeking to mitigate this threat should expedite the adoption of multifactor authentication technology, improve their password policies, educate their workforce and actively monitor their authentication systems.