Cybersecurity
Password Spraying
Password spraying is an attack technique that involves trying a small number of common passwords against many accounts. Unlike brute force (many passwords against one account), spraying avoids lockouts and is harder to detect.
What is Password Spraying?
Password Spraying Definition
Password spraying is an authentication attack type where an attacker uses a small set of commonly used passwords (e.g., “Password123”, “Company2024”) against many user accounts. This technique avoids account lockout mechanisms because no single account receives many attempts.
Password Spraying vs Brute Force
| Aspect | Brute Force | Password Spraying |
|---|---|---|
| Approach | Many passwords, one account | One password, many accounts |
| Speed | Fast | Slow (spread over time) |
| Lockout | Triggers lockouts | Avoids lockouts |
| Detection | Easy | Harder |
How Password Spraying Works
- Reconnaissance: Collecting usernames (OSINT, LinkedIn, email enumeration)
- Password selection: Most common passwords for the organization
- Attack: Trying one password across all accounts
- Waiting: Pause (e.g., 30 minutes)
- Next iteration: Next password on all accounts
- Success: Finding valid credentials
Commonly Tested Passwords
- Season+Year (Summer2024, Winter2024)
- Company+number (Acme123, Acme2024)
- Standard (Password1, Welcome1)
- Keyboard patterns (Qwerty123)
- Monthly patterns (January2024!)
Password Spraying Targets
- Microsoft 365/Azure AD: Most common target
- VPN portals: Remote access
- OWA (Outlook Web Access): Email access
- Citrix, RDP: Remote sessions
- SSO portals: Identity systems
Password Spraying Detection
Indicators:
- Many failed logins from one IP
- Logins to many accounts in short time
- Unusual login times/locations
- Pattern: distributed attempts
Tools:
- Azure AD Identity Protection
- SIEM correlation rules
- Failed authentication monitoring
Defense Against Password Spraying
Technical:
- MFA (most effective)
- Passwordless authentication
- Smart lockout policies
- IP reputation blocking
- Conditional access policies
Organizational:
- Password policies (common password blocklists)
- User education
- Password manager usage
Password Spraying and MFA
MFA drastically reduces password spraying effectiveness:
- Even successful password guessing is insufficient
- Attacker needs second factor
- However, MFA fatigue attacks exist
Password spraying is one of the most common initial access techniques, making MFA an essential protection.