Protecting Against Brute Force and Password Spray Attacks

Imagine pulling up to the fancy, six-bedroom beachside mansion you rented for the week with your friends. 

Finally, vacation time. 

One small catch: The owner left a ring of 500 keys and didn’t tell you which one unlocks the front door. 

You try the keys, huffing in frustration as each one fails. Finally, you hear the pop of the latch and you rush inside to look around. 

Translate this scenario to cybersecurity and you can understand what a brute force attack looks like.

Understanding Brute Force Attacks

In a brute force cyberattack, bad actors will try password after password until they crack an account. Usually, they apply an automated program so they don’t have to type those password attempts manually. 

One type of brute force attack is a “dictionary attack” (no actual dictionaries are harmed in the process).

Hackers will try targeted combinations of commonly used passwords based on a user group’s geographic region, age group or shared experiences or interests. 

For example, they might try variations of “ChiefsFan2468” for users based in Kansas City, “5grandkids” for users of a certain age or “deltasig2014” for users who are members of a fraternity.

We know what you’re thinking: “How can they just guess a password?! I can’t even guess my OWN password after I forget it.

Well, hackers have a lot more time on their hands — and the possibility of a big payday to motivate them. According to IBM, the average cost of a data breach was $4.45 million in 2023, an all-time high.

Although this method isn’t as common as it once was, hackers do still use it. There are thousands — or millions — of accounts not protected by MFA out there. Those accounts’ only line of defense is their password — so for brute force aficionados, there are plenty of ready-made targets. 

For them, it’s worth the effort. 

Understanding Password Spray Attacks

Along the same lines, hackers try a similar method called password spray attacks.

In this scenario, the bad actor will figure out the template for that organization’s email accounts (for example, firstinitial.lastname@domain.com).

Then, they’ll attempt one specific password for all the accounts within a company’s environment. (Surely CompanyName2024 has to work on someone’s account, right?)

At SaaS Alerts, we see thousands of brute force and password spray attacks every single day.

Why MSPs Should Prioritize Brute Force Defense

Hackers who use brute force and password spray attacks may not be the most efficient hackers in the world. But eventually they’ll get through, especially if accounts aren’t protected by MFA.

When the hacker does crack that password, your clients are at risk of data exfiltration and loss — which can be expensive and damaging. Preventing that from happening means saving your client both money and embarrassment. 

Win-win.

Best Practices to Prevent Brute Force and Password Spray Attacks

Set minimum password standards: Don’t allow your clients’ end users to use something super easy to guess as their passwords. Set parameters they have to follow instead (one capital letter, one number, one special character, etc). And don’t forget to require a minimum length. The current best practice is 12 to 16 characters.

Ensure all end-user accounts set up MFA: We’ll shout this from the rooftops. Every end-user account should be protected by MFA. No excuses. It’s the single best protection against these attacks because even if a bad actor does guess the correct password, there’s an additional layer of protection.

Related Content: How MSPs Can Make the Case for MFA Implementation

Implement regular monitoring: Keeping an eye on attack patterns (even if the hacker is unsuccessful) can help you figure out what future protections to put in place.

Brute Force Attack Prevention: How SaaS Alerts Help Protect Your Clients

Failed brute force attacks can cause a false sense of security for many MSPs. You see the failed attempt, you see that the hacker didn’t get in and you pump your fist a little. 

Mission accomplished: The login attempt failed. 

But these failures are actually important data points to track. Are those attack attempts all coming from one geographic region? Are they targeting the same account? Answering these questions can help you be more proactive in protecting your clients. 

SaaS Alerts can help monitor those patterns and implement protections. The SaaS Alerts platform allows you to: 

Ensure minimum password standards are met: Sometimes it’s like pulling teeth making clients follow your password rules. SaaS Alerts can alert you every time an end user tries to skirt the rules. You can restrict their access until they fix their password.

Collect robust activity logs to track patterns: If something happens within your client’s environment, we track it. You can later pull those logs, present them to your client and explain why added protections are necessary based on the data you collected.

Provide continuous monitoring and automated remediation: A human — even one who rarely sleeps — can’t possibly monitor every failed login attempt of every end-user account within every client’s environment. It’s too much. 

That’s what SaaS Alerts software was built for: continuous monitoring, plus automated remediation to handle account compromises even after office hours.

Ready to Get Started?

Differentiate your MSP while super charging your cybersecurity revenue and better protecting your customers from the ever-growing SaaS threat landscape.

Get Started

Request a Demo