Top Risks

Spring 2018 Password Attacks

David Holmes writes for Security Week, discussing how 90-day password expirations could be making it easier for attackers to brute-force your network.
June 20, 2018
1 min. read

The first time I heard about distributed brute-force login attacks was from master web application firewall (WAF) administrator Marc LeBeau. At the time he was defending a hotel chain against attackers who were brute-force guessing customer passwords and withdrawing hotel points.

According to LeBeau, there’s a popular attack vector among brute-force attackers right now that takes advantage of the 90-day password expirations commonly used by enterprises. When a company becomes large enough, it accumulates several dudes who can’t ever remember their passwords and end up calling IT 200 times a year. To avoid becoming like the fabled B.O.F.H., admins assign these dudes a password like Spring2018 because it’s easy to remember and aligns to the 90-day expiration.

“With tech shop churn and socialization, <SeasonYear> just became a de facto standard. So this specific password works wonders when attacking enterprise because it’s really just an enterprise employee problem,” says LeBeau.

Read the full article published May 2, 2018 here: by Help Net Security.

Join the Discussion
Authors & Contributors
David Holmes (Author)
Sr. Threat Research Evangelist

More from Learning Center

Forward and Reverse Shells
Forward and Reverse Shells
09/15/2023 article 5 min. read
Web Shells: Understanding Attackers’ Tools and Techniques
Web Shells: Understanding Attackers’ Tools and Techniques
07/06/2023 article 6 min. read
What Is Zero Trust Architecture (ZTA)?
What Is Zero Trust Architecture (ZTA)?
07/05/2022 article 13 min. read