How password spraying works
Password spraying inverts the classic brute-force approach. Instead of hammering one account with thousands of guesses, the attacker tries one or two very common passwords, such as a season and year or the company name with a digit, across hundreds or thousands of accounts. After a full pass, they wait out the lockout observation window and try the next candidate password.
This low-and-slow pattern is designed to defeat the most common defense: account lockout after several failed attempts. Each individual account sees only one or two failures, which looks like a user’s typo. Attackers typically harvest the username list beforehand from public sources or predictable email formats, and they favor authentication endpoints that accept a password without additional factors, such as legacy protocols.
Why it matters
Password spraying succeeds because in any sufficiently large organization, someone is using a guessable password. The attacker needs only one hit: a single valid mailbox or VPN login provides a foothold for phishing colleagues from a trusted address, reading sensitive mail or moving deeper into the network. State-sponsored groups and commodity criminals alike use spraying as a first-line technique precisely because it is quiet, cheap and reliable.
The attack is also easy to underestimate in logs. Failures are spread thinly across many accounts and often across days, so dashboards that focus on per-account lockouts show nothing unusual. Organizations frequently discover a spray only after a compromised account starts sending phishing mail.
How to defend against password spraying
Banning the passwords attackers actually spray is the first step: block common patterns, dictionary words and any password found in breach corpuses, rather than relying on complexity rules that users satisfy predictably. Multi-factor authentication then ensures that even a correct guess does not grant access on its own, and disabling legacy authentication protocols closes the endpoints sprays favor.
Detection should look across accounts, not within them: many distinct usernames failing with a similar cadence from related sources is the signature of a spray. Adaptive authentication that raises requirements for risky or unfamiliar sign-ins, as Monosign does alongside MFA, converts a successful guess into a dead end rather than a breach.