Password Spraying (Low and Spray)

Password spraying is an attack that attempts to access a large number of accounts (usernames) with a few commonly used passwords. Traditional brute-force attacks attempt to gain unauthorized access to a single account by guessing the password. This can quickly result in the targeted account getting locked-out, as commonly used account-lockout policies allow for a limited number of failed attempts (typically three to five) during a set period of time. During a password-spray attack (also known as the “low-and-slow” method), the malicious actor attempts a single commonly used password (such as ‘Password1’ or ‘Summer2017’) against many accounts before moving on to attempt a second password, and so on. This technique allows the actor to remain undetected by avoiding rapid or frequent account lockouts.


Password spray campaigns typically target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols. Targeting federated authentication can help mask malicious traffic. Additionally, targeting SSO applications helps maximize access to intellectual property if the attack succeeds.

Email applications are also commonly targeted.

How Does Password Spraying Affect Business?

When hackers are able to get information about employees from public sources they can rely on organizations using the same usernames as in public domains.

The hacker will use those usernames combined with frequently use passwords (Password123, date of birth…..) to access business accounts.

Preventing Password Spraying

The simplest way to prevent password spraying, credential stuffing, and other credential-based attacks is simply using an authentication solution that does not require passwords as the first factor of authentication.

See Secret Double Octopus Passwordless Authentication Platform 

Frequently Asked Questions
What is MD5 cryptographic hash function?

MD5 is a cryptographic algorithm that takes an input of arbitrary length and produces a message digest that is 128 bits long. MD5 is used in many situations where a potentially long message needs to be processed and/or compared quickly. The most common application is the creation and verification of digital signatures.

MD5 was designed by Ronald Rivest in 1991 (the R in RSA). In 2004, serious flaws were found in MD5, which meant its use has been deprecated.

What is a Rainbow Table?

A rainbow table is a precomputed table for reversing cryptographic hash functions. They are used for cracking password hashes. Using a rainbow table requires less computer processing time and more storage than a brute-force attack which calculates a hash on every attempt. Salting the password hash renders the rainbow table attack infeasible.

What is Password Hash Salting?

Password hash salting is when random data – a salt – is used as an additional input to a hash function that hashes a password. The goal of salting is to defend against dictionary attacks or attacks against hashed passwords using a rainbow table.

To salt a password hash, a new salt is randomly generated for each password. The salt and the password are concatenated and then processed with a cryptographic hash function. The resulting output (but not the original password) is stored with the salt in a database.

Since salts do not have to be memorized by humans they can make the size of the rainbow table required for a successful attack prohibitively large. Since salts are different in each password, they also protect commonly used passwords or those who use the same password on several sites, by making all salted hash instances for the same password different from each other.