What is Password Spraying? How Attackers Exploit Weak Passwords at Scale

How Password Spraying Works

Password spraying is methodical and patient. The attacker begins by enumerating valid usernames for the target organization — a straightforward process using LinkedIn to identify employees, then applying the organization's standard email format (firstname.lastname@company.com) to generate a list of likely valid usernames. This enumeration phase requires no technical access to the organization's systems.

With a username list assembled, the attacker selects a small number of commonly used passwords — typically 3-5 per spray cycle — and attempts each password against every username in the list. Common choices include the current month and year (May2026!), the organization's name with common suffix patterns (CompanyName1!), seasonal patterns (Spring2026), and universal weak passwords that remain stubbornly prevalent (Password1, Welcome123). After the first spray cycle, the attacker waits — typically 30-60 minutes to an hour — before attempting another cycle with different passwords. This wait period is specifically calibrated to avoid triggering account lockout policies, which typically lock an account after 5-10 failed attempts within a defined time window.

The patience required for password spraying is substantial. A thorough campaign against an organization with 500 employees, staying safely under lockout thresholds, may take days or weeks. But the return — valid credentials to an organization's Microsoft 365 environment, VPN, or corporate applications — provides the initial access needed to pivot to more impactful operations. Password spraying is widely used by nation-state actors specifically because its slow, methodical nature evades the velocity-based detection that catches brute force attacks.

Who Uses Password Spraying and Why

Password spraying is associated with a broad range of threat actors, from nation-state groups to ransomware affiliates to credential theft operations. Microsoft has documented its use by APT28 (Fancy Bear) against hundreds of organizations including US government agencies and defense contractors. Iranian APT33 has used password spraying against energy sector targets. Financially motivated groups use it as an efficient initial access technique that does not require vulnerability exploitation — if the credentials work, the access is as legitimate as any employee's login.

The technique's prevalence reflects a simple economic reality: weak and common passwords are present in a meaningful percentage of any large organization's user population, and the cost of attempting those common passwords at scale is low. Even a 1-2% success rate against a 500-person organization yields 5-10 valid credential sets — sufficient to establish a meaningful initial access foothold.

Why Password Spraying Works in 2026

Password spraying exploits a persistent human behavior problem that technical controls have not eliminated. Despite years of security awareness training, password complexity requirements, and breach-related publicity, common passwords remain present in organizational user populations at rates that make spraying consistently viable.

The Have I Been Pwned database contains over 12 billion compromised credentials from breaches. Analysis of these breaches consistently shows that passwords like "password", "123456", "company-name-year", and "welcome" appear across millions of accounts — not because users are careless, but because humans are predictable under cognitive load. Password complexity requirements that mandate special characters and numbers reliably produce passwords that follow the pattern of capitalizing the first letter, appending a number, and adding "!" — exactly the patterns password spraying wordlists are built around.

The specific vulnerability that password spraying targets is the predictability of password selection at population scale. Individual users may have genuinely complex passwords. But in an organization of 500 people, the statistical probability that at least one has "May2026!" or "Welcome1" as their password is high — because these patterns satisfy complexity requirements while minimizing cognitive burden.

Detection: Why Password Spraying Is Hard to Catch

Password spraying is specifically designed to evade the authentication monitoring that catches traditional brute force. Brute force attacks generate hundreds of failed authentication attempts against a single account in a short time window — triggering lockout policies and velocity-based detection rules. Password spraying distributes those attempts across hundreds of accounts with long delays between cycles, generating a pattern where each individual account has very few failed attempts — well below lockout thresholds and basic alerting rules.

Detecting password spraying requires cross-account analysis: identifying patterns where many different accounts experience single or double failed authentication attempts within similar time windows, especially from the same source IP range. This detection logic is more sophisticated than per-account lockout monitoring and requires a SIEM with appropriate detection rules or an identity-focused security tool like Microsoft Entra ID Protection or Okta ThreatInsight.

Defending Against Password Spraying

The most effective defense against password spraying is removing the attack's success condition: eliminating the weak and common passwords from the organization's credential inventory. This requires moving beyond complexity requirements — which produce predictable patterns that spraying wordlists specifically target — to an enterprise password manager deployment that generates and stores genuinely random credentials, combined with banned password lists that block commonly sprayed patterns.

Microsoft Entra ID and Okta both support custom banned password lists. Configuring these lists to block the month-year patterns, company-name patterns, and universal weak passwords that spraying campaigns target eliminates the most commonly successful credential classes. This is a low-cost, high-impact control that most organizations have not implemented.

Phishing-resistant MFA provides defense even when spraying succeeds. An attacker with a valid credential who is then required to complete FIDO2 authentication cannot proceed — because the FIDO2 response is cryptographically bound to the legitimate login origin and cannot be satisfied by an attacker without physical possession of the user's hardware security key. Push notification MFA provides partial defense but is vulnerable to MFA fatigue attacks when used in combination with valid credentials obtained through spraying.

For PE operating partners evaluating portco identity security, the password spraying question is: does the organization have a banned password policy in its identity platform? Is there monitoring in place that would detect cross-account slow authentication failures? Has the IT team reviewed authentication logs for historical evidence of spray attempts? These are controls that cost nothing to implement and monitoring that requires only appropriate configuration of tools the organization already has — not additional technology investment.