Password spraying is a type of brute-force credential attack in which an attacker tries a small number of commonly used passwords (like 'Password123', 'Summer2024!', or 'Company1!') against a large number of accounts simultaneously. Unlike traditional brute-force attacks that try many passwords against one account and trigger lockouts, password spraying distributes attempts across many accounts to stay under lockout thresholds..
What is Password Spraying?
Password spraying is a type of brute-force credential attack in which an attacker tries a small number of commonly used passwords (like 'Password123', 'Summer2024!', or 'Company1!') against a large number of accounts simultaneously. Unlike traditional brute-force attacks that try many passwords against one account and trigger lockouts, password spraying distributes attempts across many accounts to stay under lockout thresholds.
How Password Spraying Works
The attacker first collects a list of valid usernames or email addresses - often through OSINT, LinkedIn scraping, or data breaches. They then try one common password against every account on the list, wait to avoid lockout detection, and repeat with the next password. Because most organizations have at least a few employees using weak or predictable passwords, even a small spray often yields results.
Why Password Spraying is a Human Risk Problem
Password spraying succeeds because of human behavior - employees choosing weak passwords, reusing passwords across services, or following predictable patterns (season + year + special character). Technical controls like MFA significantly reduce the risk, but the root vulnerability is the human decision to use a guessable password. Organizations that monitor employee credential exposure through OSINT can identify which employees have leaked or weak credentials before attackers exploit them.
Password Spraying vs. Credential Stuffing
| Attack Type | Method | Password Source |
|---|---|---|
| Password Spraying | Tries common passwords against many accounts | Generic common passwords |
| Credential Stuffing | Tries known username/password pairs | Leaked credentials from data breaches |
| Brute Force | Tries many passwords against one account | Automated password generation |
How to Protect Against Password Spraying
- Enforce strong password policies that block common and leaked passwords
- Require multi-factor authentication across all accounts
- Monitor for employee credentials exposed in data breaches and dark web marketplaces
- Implement smart lockout policies that detect distributed spray patterns
- Train employees on password hygiene as part of security awareness programs
Frequently Asked Questions
How effective is password spraying?
Very effective. Studies show that password spraying succeeds at a rate of 0.1% to 1% on large target lists. A spray against 10,000 accounts with 20 common passwords typically yields 10-20 valid credentials. The attack is slow and difficult to detect, making it a favorite of patient attackers.
Why don't account lockout policies stop password spraying?
Password spraying distributes attempts across many accounts instead of targeting one. Traditional lockout policies (5 failed attempts = lockout) work against single-account brute force but don't detect distributed sprays. Effective defense requires detecting patterns across many accounts.
What are the most commonly used passwords in sprays?
Commonly sprayed passwords include: 'Password123!', 'Spring2024!', 'Company1!', seasonal + year combinations, and names related to the company or industry. Attackers also use credentials from previous breaches. Organizations should prevent employees from using passwords found in breach databases.
How does MFA protect against password spraying?
Even if a password spraying attack succeeds, MFA blocks the login. The attacker gains credentials but cannot access the account without a second factor. This is why organizations pair strong password policies with mandatory MFA for all accounts.