The first time I heard about distributed brute-force login attacks was from master web application firewall (WAF) administrator Marc LeBeau. At the time he was defending a hotel chain against attackers who were brute-force guessing customer passwords and withdrawing hotel points.
According to LeBeau, there’s a popular attack vector among brute-force attackers right now that takes advantage of the 90-day password expirations commonly used by enterprises. When a company becomes large enough, it accumulates several dudes who can’t ever remember their passwords and end up calling IT 200 times a year. To avoid becoming like the fabled B.O.F.H., admins assign these dudes a password like Spring2018 because it’s easy to remember and aligns to the 90-day expiration.
“With tech shop churn and socialization, <SeasonYear> just became a de facto standard. So this specific password works wonders when attacking enterprise because it’s really just an enterprise employee problem,” says LeBeau.
Read the full article published May 2, 2018 here: https://www.securityweek.com/spring-2018-password-attacks by Help Net Security.