Password Spraying
What is Password Spraying?
Password SprayingA low-and-slow attack that tries a small set of common passwords against many user accounts, staying under lockout and rate-limit thresholds.
Password spraying inverts the classical brute-force pattern: instead of many passwords per account, attackers try one password (e.g. "Winter2025!", "P@ssw0rd") across an entire user directory and then move to the next. This avoids triggering per-account lockouts and produces hits because real organisations always contain a long tail of weak passwords. Spraying is a favourite technique for compromising cloud identity providers (Microsoft Entra ID, Okta) and VPN portals. Defences include banning common and breached passwords, smart-lockout and risk-based MFA, conditional access, geo/IP analytics, and alerting on high-fan-out, single-password authentication patterns.
● Examples
- 01
An APT trying "Spring2025!" against every account in an Entra ID tenant during a single hour each day.
- 02
Bots cycling through seasonal passwords against a corporate SSL VPN to find weak users.
● Frequently asked questions
What is Password Spraying?
A low-and-slow attack that tries a small set of common passwords against many user accounts, staying under lockout and rate-limit thresholds. It belongs to the Attacks & Threats category of cybersecurity.
What does Password Spraying mean?
A low-and-slow attack that tries a small set of common passwords against many user accounts, staying under lockout and rate-limit thresholds.
How do you defend against Password Spraying?
Defences for Password Spraying typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Password Spraying?
Common alternative names include: Low-and-slow guessing.