Password Spraying

Sec+ Glossary πŸ“– β€’ Threats ⚠️ β€’ Network Attacks 🎯 β€’ Authentication & Authorization πŸ” β€’ Difficulty: free

What is Password Spraying?

Password spraying is an attack where an attacker tries a small number of common passwords against many different accounts, instead of trying many passwords against one account. The goal is to find accounts that use weak or default passwords while avoiding account lockouts and detection.

Examples

  • An attacker tries β€œWinter2026!” against thousands of corporate usernames over several hours to avoid lockout triggers.
  • A cloud login portal sees one password attempted across many accounts from rotating IP addresses.

Discover πŸ”Ž

Password spraying succeeds because many environments still have a small number of weak passwords in use. Attackers know that account lockout policies are designed to stop brute force against a single account. So they change the strategy. Instead of hammering one user, they lightly test many users with a few highly likely passwords.

Remember: Spraying is β€œone password, many accounts.” Brute force is β€œmany passwords, one account.”

Summary πŸ“

Password spraying is an attack that tests a small set of common passwords against many accounts to find weak credentials while avoiding lockouts. It can be difficult to spot on a per-user basis because each account sees few failures, so detection relies on cross-account patterns. Strong defenses include enforcing MFA, blocking common passwords, using conditional access, and monitoring authentication logs for spray behavior.

Open the interactive lesson Browse more topics

Tip: The interactive version includes progress tracking, decks, and premium deep dives.