← All terms
Password Spraying

What is Password Spraying?

Password spraying tries a few common passwords against many accounts, staying under lockout thresholds while hunting for the weakest users in an organization.

Last updated: 15 July 2026

How password spraying works

Password spraying inverts the classic brute-force approach. Instead of hammering one account with thousands of guesses, the attacker tries one or two very common passwords, such as a season and year or the company name with a digit, across hundreds or thousands of accounts. After a full pass, they wait out the lockout observation window and try the next candidate password.

This low-and-slow pattern is designed to defeat the most common defense: account lockout after several failed attempts. Each individual account sees only one or two failures, which looks like a user’s typo. Attackers typically harvest the username list beforehand from public sources or predictable email formats, and they favor authentication endpoints that accept a password without additional factors, such as legacy protocols.

Why it matters

Password spraying succeeds because in any sufficiently large organization, someone is using a guessable password. The attacker needs only one hit: a single valid mailbox or VPN login provides a foothold for phishing colleagues from a trusted address, reading sensitive mail or moving deeper into the network. State-sponsored groups and commodity criminals alike use spraying as a first-line technique precisely because it is quiet, cheap and reliable.

The attack is also easy to underestimate in logs. Failures are spread thinly across many accounts and often across days, so dashboards that focus on per-account lockouts show nothing unusual. Organizations frequently discover a spray only after a compromised account starts sending phishing mail.

How to defend against password spraying

Banning the passwords attackers actually spray is the first step: block common patterns, dictionary words and any password found in breach corpuses, rather than relying on complexity rules that users satisfy predictably. Multi-factor authentication then ensures that even a correct guess does not grant access on its own, and disabling legacy authentication protocols closes the endpoints sprays favor.

Detection should look across accounts, not within them: many distinct usernames failing with a similar cadence from related sources is the signature of a spray. Adaptive authentication that raises requirements for risky or unfamiliar sign-ins, as Monosign does alongside MFA, converts a successful guess into a dead end rather than a breach.

Frequently asked questions

What is the difference between password spraying and credential stuffing?
Password spraying guesses a few common passwords across many accounts of one organization. Credential stuffing replays real leaked username-password pairs, usually across many services. Spraying exploits weak password choices; stuffing exploits password reuse. Both are automated and both are defeated primarily by MFA and strong password screening.
Why does account lockout not stop password spraying?
Lockout counts failures per account, and a spray produces only one or two failures per account before moving on. By the time the attacker returns with the next password, the observation window has usually reset. Effective detection instead correlates failures across many accounts and sources.
Can a spray attack be detected before an account is compromised?
Yes. The cross-account pattern is visible early: many usernames each failing once or twice within a window, often from a shared infrastructure fingerprint. Alerting on that pattern, and on authentication attempts against legacy endpoints, usually surfaces a spray during its first pass.