What Is Password Spraying? How It Works and How to Stop It

An attacker does not need to guess your exact password to break into your network. A password spraying attack tests a handful of common passwords against thousands of usernames instead of hammering one account, and it only takes one weak match to get in. This approach lets attackers stay under the radar. Nation-state groups and […]

The best defense against password spraying is eliminating passwords.
Key Points
  • Password spraying tests a small set of common passwords against many accounts to dodge lockout thresholds. Attackers automate the process against login portals and legacy protocols, pacing attempts to stay under detection thresholds.
  • Unlike credential stuffing, password spraying doesn’t rely on stolen passwords. It succeeds by exploiting weak, commonly used passwords.
  • MFA and throttling raise the cost of an attack but replacing passwords with certificate-based authentication removes the attack surface.

An attacker does not need to guess your exact password to break into your network.

A password spraying attack tests a handful of common passwords against thousands of usernames instead of hammering one account, and it only takes one weak match to get in. This approach lets attackers stay under the radar.

Nation-state groups and ransomware crews both use it because it is cheap, low noise and reliably finds the one account a lockout policy will not catch.

What Is Password Spraying?

Password spraying is a brute-force attack that cycles a short list of frequently used passwords across a wide pool of accounts, deliberately capping the number of guesses per account so lockout policies never trigger.

The MITRE ATT&CK framework classifies it as a brute force sub-technique tracked as T1110.003, under the Credential Access tactic.

Unlike a targeted guess against one account, spraying treats the entire user directory as the attack surface. An attacker who tries “Password123” against 2,000 accounts once is far less likely to trip a lockout policy than an attacker who tries 2,000 passwords against a single account.

How Does a Password Spraying Attack Work?

A spraying campaign follows a repeatable sequence:

  1. Build a target list: Attackers harvest valid usernames through email harvesting, LinkedIn scraping, breached credential dumps or LDAP and Active Directory enumeration.
  2. Pick a small password set: They select a handful of commonly used or seasonal passwords, often pulled from prior breach data, instead of running a large dictionary against one account.
  3. Space out the attempts: Attackers space login attempts against each account across hours or days, staying below the failed-attempt count that triggers a lockout.
  4. Target legacy protocols: Attackers frequently point spray traffic at legacy authentication protocols such as IMAP, POP3, SMTP AUTH, and Exchange ActiveSync, which often do not enforce multi-factor authentication (MFA).
  5. Harvest valid hits: Any successful login becomes a foothold for lateral movement, mailbox access, or further credential harvesting.

Spraying is patient by design. A campaign that limits itself to one or two guesses per account per day can run for weeks without setting off a single lockout alert.

How Password Spraying Differs From Brute Force and Credential Stuffing

Password spraying, brute force and credential stuffing all end in the same place, a compromised account, but they start from different assumptions about what the attacker already knows.

The table below compares password spraying with brute force and credential stuffing, highlighting how each attack targets accounts and passwords differently.

Attack Type Passwords Tested per Account Accounts Targeted Primary Source of Passwords
Brute force Many, often exhaustive Usually one Generated or guessed combinations
Password spraying Few, common passwords Many Common or weak password lists
Credential stuffing One, already known Many Previously breached username-password pairs

A brute force attack burns through as many combinations as possible against a single account. Credential stuffing replays credential pairs stolen from an unrelated breach, betting on password reuse.

Password spraying sits between them: it assumes nothing about the specific account beyond the odds that someone, somewhere in the directory, picked a weak and common password.

Real-World Password Spraying Attacks

Password spraying is not a theoretical risk. It has served as the entry point for several high-profile breaches over the past few years. Here are a few examples:

  • Microsoft Midnight Blizzard, 2024: The Russia-linked group Midnight Blizzard compromised a legacy, non-production Microsoft test tenant that did not have MFA enabled. The group used a password spray attack tailored to a limited number of accounts to avoid detection. Midnight Blizzard then used that foothold to access a small number of corporate email accounts, including members of Microsoft’s senior leadership team.
  • Cisco Secure Firewall VPN campaign, 2024: Cisco warned customers about a large-scale password spraying campaign targeting remote access VPN services on Secure Firewall devices, part of a broader wave that also hit VPN and authentication services across multiple vendors.
  • Russian GRU brute force campaign, 2021: The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the U.K.’s National Cyber Security Centre (NCSC) attributed a multiyear brute force and password spraying campaign to Russia’s GTsSS military intelligence unit. The campaign targeted government and private-sector organizations worldwide. The attackers used a distributed Kubernetes cluster to mask the source of login attempts.
  • Iranian state-linked actors, 2024: CISA and international partners issued a joint advisory describing Iranian cyber actors combining brute force and password spraying with MFA push-bombing to compromise accounts across healthcare, government and other critical infrastructure sectors.

How Do You Detect Password Spraying?

Spraying is built to hide inside normal-looking login traffic, so detection depends on looking at patterns across the whole directory instead of any single account. The image below highlights the key indicators security teams can monitor to detect password spraying attacks before they lead to account compromise.

Infographic highlighting four common signs of a password spraying attack.

The following section explains what each indicator means in practice:

  • Failed logins spread across many accounts: A single source IP or autonomous system number (ASN) generating failed logins against dozens of different usernames in a short window is the clearest signal.
  • Login attempts against dormant or service accounts: Accounts that rarely authenticate suddenly showing failed attempts often indicate a spray sweep rather than a real user’s mistake.
  • Spikes in legacy protocol traffic: A jump in IMAP, POP3, or ActiveSync authentication attempts frequently signals an attacker probing for paths that skip MFA.
  • Logins from unfamiliar infrastructure: Attempts routed through hosting providers, VPN exit nodes or countries where the organization has no presence point to automated spraying rather than normal user behavior.

None of these signals is conclusive alone. Correlated together in a security information and event management (SIEM) tool or identity platform, they separate a spray campaign from ordinary login noise.

How Do You Prevent Password Spraying?

Prevention works in layers, and each layer narrows the odds an attacker gets a hit without eliminating the underlying weakness. Here are some methods to prevent password spraying:

  • Enforce MFA on every authentication path: Extending multi-factor authentication beyond the primary sign-in page closes off legacy paths attackers use to bypass it.
  • Throttle instead of hard-locking accounts:NIST guidance limits consecutive failed authentication attempts to no more than 100 and favors progressive delays between failed attempts. Attackers can abuse permanent lockouts to lock out legitimate users.
  • Retire legacy authentication protocols: Blocking or disabling IMAP, POP3, and ActiveSync removes paths that frequently skip MFA enforcement.
  • Ban common and previously breached passwords: Screening new passwords against breach lists shrinks the pool of passwords a spray campaign can succeed against.
  • Monitor for distributed failure patterns: Watching for failed logins spread across many accounts catches spraying that per-account lockout thresholds miss on their own.

Each control raises the cost of an attack. None of them changes the fact that the account is still protected by something an attacker can guess.

Why the Password Is the Real Vulnerability

Password spraying only works because a guessable secret exists somewhere in the directory. MFA blocks the isolated hit, throttling slows the sweep, and banned password lists shrink the target list. The account is still protected by a shared secret an attacker can guess, phish or eventually replay.

Certificate-based authentication removes that variable entirely. The Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) standard authenticates a user or device with a cryptographic certificate instead of a password, so there is nothing for an attacker to spray. Attackers who target legacy protocols to dodge MFA hit the same wall: a certificate has no password field to bypass in the first place.

Replace Sprayable Passwords With Certificate-Based Authentication

The SecureW2 JoinNow Dynamic PKI replaces passwords with certificate-based authentication for Wi-Fi, VPN and application access, so there is no password left in the directory for an attacker to spray. It automates certificate issuance and renewal across managed and unmanaged devices, so IT teams are not left managing anything close to a password policy.

Paired with JoinNow Cloud RADIUS, every authentication request is checked against your identity provider in real time, tying access to a verified user and device rather than a memorized secret an attacker can guess from outside the network.

Schedule a demo to see how certificate-based authentication closes the password spraying gap.


Frequently Asked Questions

What is password spraying?

Password spraying is a brute-force attack that tries a handful of commonly used passwords against many different accounts, spreading attempts across the directory instead of repeatedly guessing against one account. This keeps attempts per account low enough to avoid tripping standard lockout policies.

How does a password spraying attack work?

An attacker first builds a list of valid usernames, then tries a handful of common passwords against each one, pacing the attempts across hours or days to stay under lockout thresholds.

Attackers often aim spray traffic at legacy protocols that do not enforce MFA, then use any successful login as a foothold for further access.

What is the difference between password spraying, brute force and credential stuffing?

Brute force tries many password combinations against one account. Credential stuffing replays password pairs already stolen from a different breach against many accounts.

Password spraying sits between them, trying a small set of common passwords across many accounts without any prior knowledge of a specific user’s real password.

How do you detect password spraying?

Detection depends on spotting failed login attempts spread across many different accounts from the same source IP, ASN or unfamiliar infrastructure, rather than repeated failures on a single account. Spikes in legacy protocol authentication traffic and login attempts against dormant accounts are also common indicators.

How do you prevent password spraying?

Enforcing MFA everywhere, throttling failed logins instead of issuing hard lockouts, retiring legacy authentication protocols, and banning common passwords all reduce the odds a spray campaign succeeds. The only way to remove the risk entirely is to eliminate the password itself with certificate-based authentication.