Password Spraying Attacks: What They Are and How to Stop Them

What is a password spraying attack?

A password spray attack is the opposite of a brute-force attack. Instead of trying thousands of passwords against one account, an attacker tries one common password against thousands of accounts.

The most commonly sprayed passwords in enterprise environments: Spring2025!, Welcome1, Password1, Company123, January2025. These satisfy most corporate password complexity requirements. Tens of thousands of accounts at any large organisation will use one of them.

The critical advantage for attackers: most account lockout policies trigger after 5–10 failed attempts per account. Spraying one attempt across 10,000 accounts never triggers lockout on any individual account, even if it successfully compromises hundreds of them.

Why spray attacks are so effective against enterprises

Corporate environments create the perfect conditions for password spray attacks:

• Complexity policies with rotation: When you force quarterly password resets with complexity requirements, users pick Summer2025! → Fall2025! → Winter2025!. Attackers know this pattern and spray it seasonally.
• Predictable usernames: Corporate email formats (firstname.lastname@company.com) are easily enumerated from LinkedIn. Attackers have the full target list before they start.
• Per-account lockout policies: Legacy systems lock accounts after N failures per account, which spray attacks intentionally stay below.
• No breach detection: One failed login per account looks like a normal mistype, not an attack.

How to detect a spray attack in progress

Signs in your authentication logs:

• Unusual number of failed logins spread across many different accounts in a short window
• Failed logins originating from a single IP or small IP range
• Failed logins exactly N-1 times per account (staying just below lockout threshold)
• Timing patterns suggesting automated attempts (precise intervals between requests)
• Logins outside normal business hours across many accounts simultaneously

How to defend against password spraying

The most important defence: eliminate predictable passwords. Spray attacks work because password complexity policies produce predictable outputs. If your organisation uses PassGeni's compliance presets to generate employee initial passwords — and enforces passphrases on reset — spray attacks stop finding valid credentials.

Technical defences:

• Rate limit by IP, not by account: Detect unusually high authentication volumes from any source, regardless of which accounts are targeted.
• Anomaly detection: Flag distributed authentication failures that individually stay below per-account thresholds.
• MFA everywhere: Even a successfully sprayed password is useless if MFA is required. FIDO2 hardware keys eliminate this attack class entirely for enrolled accounts.
• Conditional access policies: Require additional verification for logins from new locations, at unusual hours, or from unmanaged devices.
• Breach password checking: NIST 800-63B recommends checking passwords against known-breached lists at creation. Commonly sprayed passwords are always in breach lists.

What to do if you've been spray-attacked

If you detect a spray attack in progress or evidence of one in your logs: force password resets for all accounts that received a failed login attempt in the attack window, enable MFA immediately for all accounts if not already enforced, and check authentication logs for successful logins during the attack period — some accounts may be compromised.

Use PassGeni's breach checker to verify whether credentials from your organisation appear in known breached datasets.