Attacks & Threats
Password Spraying
Also known as: Low-and-slow guessing
Definition
A low-and-slow attack that tries a small set of common passwords against many user accounts, staying under lockout and rate-limit thresholds.
Examples
- An APT trying "Spring2025!" against every account in an Entra ID tenant during a single hour each day.
- Bots cycling through seasonal passwords against a corporate SSL VPN to find weak users.
Related terms
Brute Force Attack
An attack that systematically tries every possible value — typically passwords, PINs, or keys — until the correct one is found.
Credential Stuffing
An automated attack that replays large lists of username/password pairs leaked from one service against other services, exploiting password reuse to take over accounts.
Dictionary Attack
A targeted password-guessing attack that tries entries from a precompiled list of likely words, leaked passwords, and rule-mutated variations.
Broken Authentication
A category of vulnerabilities where flaws in authentication or session management let attackers impersonate legitimate users or take over accounts.
Multi-Factor Authentication (MFA)
An authentication method that requires two or more independent factors — typically from different categories — before granting access.
Password
Password — definition coming soon.