Password Spraying
Password spraying tests a few common passwords against many accounts simultaneously, evading lockout policies while exploiting weak password choices across an organization.
Password spraying tests a few common passwords against many accounts simultaneously, evading lockout policies while exploiting weak password choices across an organization.
Continue your mission
Password spraying is a brute-force variant where an attacker attempts a small number of commonly used passwords against a large number of accounts simultaneously. Unlike traditional brute force, which targets one account with many passwords, spraying distributes attempts across many accounts to avoid triggering account lockout policies. This technique is effective against organizations that enforce lockout thresholds but allow weak or common passwords.
The attacker first enumerates valid usernames through methods such as OSINT, LinkedIn scraping, email harvesting, or Active Directory enumeration. They then select a small set of likely passwords based on organizational patterns, seasonal variations, or commonly used defaults such as "CompanyName2026!" or "Welcome1". The attacker attempts one password against all enumerated accounts, waits for the lockout reset window to pass, and then tries the next password. This slow and distributed approach keeps each account well below the lockout threshold. Cloud services like Microsoft 365 and VPN portals are frequent targets because they expose authentication endpoints to the internet.
Password spraying is one of the most common initial access techniques used by both nation-state actors and criminal groups. It succeeds frequently because users tend to choose predictable passwords that meet minimum complexity requirements without being truly strong. Multi-factor authentication is the most effective countermeasure. Organizations should also implement banned password lists, monitor for distributed login failures across accounts, enforce smart lockout policies, and use conditional access rules to block suspicious authentication patterns.
CDA Theater missions that address topics covered in this article.
Rogue access point detection identifies unauthorized wireless APs on the network using WIPS sensors, wired-side monitoring, and signal triangulation to prevent network bypass.
LLM security risks include data leakage, prompt injection, model supply chain attacks, and unauthorized tool execution, requiring organizations to treat AI models as high-privilege components.
Written by CDA Editorial
Found an issue? Help improve this article.