top | item 43535306

(no title)

InitialBP | 11 months ago

I'm a former red teamer - Credential spraying attacks are incredibly successful on a business that has at least a few hundred employees. Many employees not only aren't aware of why cybersecurity is important, but often go out of their way to avoid learning or implementing security best practices because they see it as an annoyance and a hindrance.

One of our most standard and most successful playbooks to find a foothold:

1. Pull employee names from linkedin

2. Find an example email for format (first.last@company.com)

3. Setup password spraying for a password like: Spring2025!

4. Leverage a tool like https://github.com/ustayready/CredKing to avoid IP blocking.

5. Get credentials and go from there...

discuss

arcbyte|11 months ago

It seems like all the corporations that still ignore NIST best practices and require password changes ever 60 days make this kind of attack much more likely to succeed.

GoblinSlayer|11 months ago

I personally don't find password counting detrimental. What's detrimental is SSO system that conflates local access password with remote access password and then often asks this password. Or has some kind of a dumb rule like "lock the machine after 10 minutes of inactivity and ask the remote password to be typed right on keyboard".

ptsneves|11 months ago

I havent been in a single company that does not force the rotation of passwords. I worked in 4 different F500 companies.

mr_mitm|11 months ago

I agree that this recommendation is in general counter productive, but the correct solution here is for the corporation to require 2FA for all logins on the internet. There will always be users who choose bad passwords.

g-b-r|11 months ago

If that's really the case it seems less bad to have the company provide unchangeable passwords... (if they're unable to switch to safer solutions)