What is Password Spraying?

Password spraying is a brute force attack that tries a few commonly used passwords against many accounts simultaneously, avoiding account lockouts while maximizing compromise probability.

What is password spraying?

Password spraying is a credential attack technique where adversaries try a small number of commonly used passwords against many user accounts simultaneously. Unlike traditional brute force that tries many passwords against one account (triggering lockouts), spraying tries one or two passwords across hundreds or thousands of accounts to avoid detection.

How does password spraying differ from credential stuffing?

Password spraying uses common passwords (like 'Summer2024!' or 'Company123') against a target organization's accounts. Credential stuffing uses username/password pairs stolen from other breached services, exploiting password reuse. Both target many accounts but spraying uses guessed passwords while stuffing uses known leaked credentials.

Why is password spraying effective?

Despite awareness campaigns, many users still choose predictable passwords following patterns like Season+Year+Symbol, CompanyName+Numbers, or common dictionary words. In large organizations, even a 1 percent success rate across thousands of accounts yields multiple compromised credentials, providing initial access for further exploitation.

How do attackers conduct password spraying attacks?

Attackers first enumerate valid usernames through directory harvesting, LinkedIn scraping, email format guessing, or Azure AD enumeration. They then spray common passwords with time delays between attempts to stay below lockout thresholds. Common targets include OWA, VPN portals, Azure AD, ADFS, and other authentication endpoints.

How do you detect password spraying?

Detection requires monitoring for multiple failed authentication attempts across many accounts from single or few source IPs, authentication failures using the same password across multiple accounts, unusual login timing patterns, and geographically impossible login sequences. Correlating events across authentication systems is essential for detection.

How do you defend against password spraying?

Defenses include enforcing MFA on all external-facing authentication, implementing password policies banning common passwords and organizational terms, using Azure AD Password Protection or similar tools, deploying intelligent account lockout that detects spraying patterns, monitoring authentication logs for spray signatures, and implementing CAPTCHA on login pages.

How is password spraying used in penetration testing?

Penetration testers perform controlled password spraying to validate password policy effectiveness and MFA enforcement. Testing identifies accounts with weak passwords, services lacking MFA, and gaps in authentication monitoring. Results demonstrate the real-world risk of password policy weaknesses and justify MFA deployment investments.

What are common passwords used in spraying attacks?

Common spray passwords include seasonal patterns (Winter2024!, Fall2023!), organizational variations (CompanyName1!, Company2024), simple patterns (Password1!, Welcome1!, Qwerty123!), and regional or cultural common passwords. Attackers research target organizations for likely password patterns based on industry, location, and known password policies.