What is Password Spraying?

How Password Spraying Works

Password spraying attacks are designed around a specific constraint of enterprise security: most organizations lock accounts after a defined number of failed login attempts — typically 5-10 within a short window. This lockout policy, designed to prevent brute force attacks, creates an exploitable opportunity for a different attack. By trying only one or two passwords per account across many accounts, the attacker stays below the lockout threshold on every account while systematically testing the entire organization's authentication surface.

The mechanics are straightforward. The attacker obtains a list of valid usernames for the target organization — often trivially available from LinkedIn, company directories, or email format conventions (first.last@company.com). They select one or two candidate passwords — typically seasonal patterns like 'Winter2026!', 'Company2026', 'Welcome1', or the company name combined with a year and special character. They attempt authentication with each username using the candidate password, spacing requests to avoid detection by rate limiting or anomaly detection systems. They move on to a new candidate password and repeat.

The technique is remarkably effective because it exploits two genuine human behaviors: people choose predictable passwords that meet complexity requirements, and many people use the same password patterns across their accounts. In any large organization, some percentage of employees will have chosen 'Summer2026!' or 'CompanyName1!' as their current password. The question is not whether the password exists in the user population — it is how quickly the attacker finds who uses it.

Why Standard Defenses Miss Password Spraying

Account lockout policies do not stop password spraying — they are specifically designed to circumvent them. Perimeter defenses do not see the attack until authentication is attempted. Traditional failed login monitoring focuses on repeated failures against a single account — password spraying generates only one or two failures per account, which is below detection thresholds designed to catch brute force attacks.

Detecting password spraying requires behavioral analytics that look across accounts rather than per-account: an unusual number of authentication attempts across many accounts within a time window, authentication attempts using a small number of passwords across the user population, authentication from unusual source addresses or geographies affecting multiple accounts simultaneously. These cross-account patterns are invisible to per-account monitoring and require SIEM or identity analytics tooling to detect.

Defending Against Password Spraying

Multi-factor authentication is the most effective technical control against password spraying. An attacker who discovers a valid username-password combination through password spraying cannot complete authentication without the second factor. MFA does not prevent the credential discovery — the attacker now knows a valid password — but it prevents the credential from being usable for account compromise.

Banned password lists that prohibit the most commonly used passwords — including seasonal patterns, company name combinations, and the top 100 most commonly sprayed passwords — directly reduce the attack's success rate. Microsoft Entra ID, Okta, and other identity providers support banned password lists that can be configured to reject these predictable patterns at the point of password creation.

Identity threat detection tools that analyze authentication patterns across the user population — flagging unusual numbers of failed authentications spread across many accounts within a time window — are the detection control that catches password spraying in progress. These tools are typically delivered as part of identity security platforms or SIEM with appropriate correlation rules.

Password Spraying in PE Due Diligence

For PE due diligence, password spraying exposure is assessed through identity security posture: Is MFA deployed universally? Are banned password lists configured? Is there monitoring for cross-account authentication anomalies? Organizations without universal MFA and banned password configuration have an authentication surface that is systematically testable by password spraying — and the attack will find valid credentials in any organization with more than a few hundred accounts.

Related Reading

• What is Credential Stuffing?
• What is MFA?
• What is IAM?
• What is Credential Harvesting?
• What is Active Directory?

SolarWinds: Password Spraying as Initial Reconnaissance

Post-incident analysis of the SolarWinds breach found evidence that attackers had conducted password spraying against SolarWinds infrastructure before deploying the Sunburst backdoor. The password spraying was reconnaissance — probing the authentication surface to identify usable credentials that could be used to access development systems and understand the build environment. The SolarWinds case illustrates how password spraying fits into sophisticated attack chains: it is not always the direct access vector, but it provides credential intelligence that supports later stages of an attack. Organizations with universal MFA close this reconnaissance avenue because discovered credentials cannot be used for access regardless of password validity.