Password Spraying
Security+ 🏆 • Threats ⚠️ • Network Attacks 🎯 • Authentication & Authorization 🔐
•
Difficulty: free
Definition
Password spraying is an attack where an attacker tries a small number of common passwords against many different accounts, instead of trying many passwords against one account. The goal is to find accounts that use weak or default passwords while avoiding account lockouts and detection.
Examples
- An attacker tries “Winter2026!” against thousands of corporate usernames over several hours to avoid lockout triggers.
- A cloud login portal sees one password attempted across many accounts from rotating IP addresses.
Discover 🔎
Password spraying succeeds because many environments still have a small number of weak passwords in use. Attackers know that account lockout policies are designed to stop brute force against a single account. So they change the strategy. Instead of hammering one user, they lightly test many users with a few highly likely passwords.
Remember: Spraying is “one password, many accounts.” Brute force is “many passwords, one account.”
Tip: The interactive version includes progress tracking, decks, and premium deep dives.