Top Risks

Spring 2018 Password Attacks

David Holmes writes for Security Week, discussing how 90-day password expirations could be making it easier for attackers to brute-force your network.
June 20, 2018
1 min. read

The first time I heard about distributed brute-force login attacks was from master web application firewall (WAF) administrator Marc LeBeau. At the time he was defending a hotel chain against attackers who were brute-force guessing customer passwords and withdrawing hotel points.

According to LeBeau, there’s a popular attack vector among brute-force attackers right now that takes advantage of the 90-day password expirations commonly used by enterprises. When a company becomes large enough, it accumulates several dudes who can’t ever remember their passwords and end up calling IT 200 times a year. To avoid becoming like the fabled B.O.F.H., admins assign these dudes a password like Spring2018 because it’s easy to remember and aligns to the 90-day expiration.

“With tech shop churn and socialization, <SeasonYear> just became a de facto standard. So this specific password works wonders when attacking enterprise because it’s really just an enterprise employee problem,” says LeBeau.

Read the full article published May 2, 2018 here: https://www.securityweek.com/spring-2018-password-attacks by Help Net Security.

Join the Discussion
Authors & Contributors
David Holmes (Author)
Sr. Threat Research Evangelist

More from Learning Center

What Is Zero Trust Architecture (ZTA)?
What Is Zero Trust Architecture (ZTA)?
article 13 min. read
What Is Access Control?
What Is Access Control?
article 15 min. read
What is Multi-Cloud and How Does It Affect Security?
What is Multi-Cloud and How Does It Affect Security?
article 13 min. read