Password Spraying

Password Spraying is an attack technique where an attacker tries a small number of commonly used passwords against many user accounts, avoiding account lockouts while maximizing the chance of finding valid credentials.

How It Works

Instead of trying many passwords against one account (which triggers lockouts), the attacker tries one password against all accounts, then waits before trying the next password. This stays under lockout thresholds.

Attack Pattern

# Traditional brute force (triggers lockouts)
user1: password1, password2, password3, password4, password5 → LOCKED
user2: ...

# Password spraying (avoids lockouts)
Round 1: All users try "Password1"
(Wait 30 minutes)
Round 2: All users try "Winter2024"
(Wait 30 minutes)
Round 3: All users try "Company123"

Common Spray Passwords

• Password1, Password123
• Welcome1, Welcome123
• Season + Year: Summer2024, Winter2024!
• Company name + numbers
• Qwerty123, Letmein1

Target Environments

• Corporate Active Directory / Azure AD
• Web application login portals
• VPN gateways
• Email services (OWA, O365)

Detection & Prevention

• Monitor for distributed login failures
• Implement progressive delays
• Require MFA
• Enforce strong password policies
• Block commonly used passwords

See Also

• Credential Stuffing
• Rainbow Table