Contact Us Today 01642 716680

Password Spraying

Definition: Password Spraying is a type of cyber attack in which an attacker attempts to gain unauthorised access to a large number of accounts using common passwords. Unlike traditional brute-force attacks, which try many passwords against one username, password spraying targets many usernames with a few commonly used passwords.

This technique takes advantage of the fact that people often use simple and common passwords, and it also evades account lockouts typically triggered by multiple incorrect password submissions. By trying only a few passwords on each account before moving on to the next, attackers reduce the likelihood of triggering security mechanisms designed to prevent multiple failed login attempts.

Password spraying is particularly effective against organisations that do not enforce strong password policies or Multi-Factor Authentication (MFA). To protect against password spraying, organisations should implement account lockout policies, ban the use of common passwords, regularly audit user passwords, and, most importantly, employ MFA.

Key Characteristics:

  • Low-and-Slow Approach: Tries a few commonly used passwords against many accounts to avoid detection.
  • Common Passwords: Leverages frequently used passwords such as ‘Password123’ or ‘Spring2021’.
  • Evades Account Lockouts: Less likely to trigger security responses due to the low number of attempts on each account.
  • Effective Against Large User Bases: Increased chances of success in environments with many user accounts.


  • Real-World Example: An attacker uses password spraying to access an organisation’s email system by trying the password ‘Winter2022’ on all user accounts.
  • Hypothetical Scenario: Cybercriminals target multiple social media platforms, using a list of the top ten common passwords and spraying them across thousands of accounts.

Related Terms:

  • Brute Force Attack: A cyber attack method that involves systematically trying numerous passwords to break into an account.
  • Credential Stuffing: An automated attack that uses previously breached username and password pairs to gain unauthorised access to user accounts.
  • Multi-Factor Authentication (MFA): A security system that requires multiple methods of authentication to verify user identity.

What is the OWASP Top 10: Download our flash cards to find out.

Inside you will find a description of the most common web vulnerabilities.

Contact us

Get a free, no obligation quote from one of our expert staff.