The Secret Security Wiki


Password Spraying

What Is a Password Spraying Attack?

Password spraying is a form of brute-force cyberattack in which threat actors attempt to access large numbers of accounts (usernames) with a few commonly used passwords.

How Is Password Spraying Different From Other Brute–Force Attacks?

Traditional brute-force attacks target a single account with multiple possible passwords. A password spraying campaign targets multiple accounts with one password at a time. This approach keeps the would-be attacker from raising suspicions and getting locked out for making too many failed attempts (typically three to five) within a short period of time.

During a password-spray attack (known as a “low-and-slow” method), the malicious actor often tries a series of commonly used passwords (such as ‘Password1’ or ‘Summer2017’). Hackers may get information about employees from public sources and rely on organizations using the same usernames as in public domains. The hacker will use those usernames combined with frequently used passwords (Password123, date of birth…..) to access business accounts.

Some common tactics for spraying include the following:

  • Social engineering: In order to pick a legitimate target (usually an enterprise business or agency), hackers will use personal interactions and phishing emails to find lucrative targets.
  • Trying common passwords: Trying common phrases like “password” or different birth date numbers can allow access to accounts where users have not chosen strong passwords.
  • Gathering intelligence: Once inside the system, the hacker will attempt to access a user directory and expand the attack list.
  • Exfiltration: Hacking programs will then look for connected accounts that serve as a springboard into new systems connected to similar or identical credentials. From there, they look to steal additional credentials and connected data in a process known as “credit stuffing.”

How Does Password Spraying Impact Business?

These attacks are incredibly damaging to SSO and federated authentication systems where a single password grants access to multiple assets or accounts. When that’s the case, a compromised account can lead very quickly to the compromise of multiple systems and business accounts.

What Do Password Spraying Attacks Typically Target?

Campaigns frequently target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols. Targeting federated authentication can help mask malicious traffic while targeting SSO helps maximize access to intellectual property if the attack succeeds. Email applications also make popular targets.

Why Are Password Spraying Attacks (still) So Successful?

It’s hard to believe that this simple method still succeeds against modern cyber defenses. Password spraying relies on the fact that many people don’t change their passwords from defaults provided by a system admin, and that many use–and reuse–common options and easy-to-guess phrases to make remembering passwords easier. Attacks also leverage the fact that many fail to rotate passwords often enough.

Preventing password spraying

The simplest way to prevent password spraying, credential stuffing, and other credential-based attacks is by rolling out a passwordless authentication solution that does not rely on “what users know”—their passwords—as the first factor of authentication.

See Secret Double Octopus Passwordless Authentication Platform

Passwordless MFA removes vulnerable passwords, taking away one of hackers’ favorite go-to techniques for gaining initial access. Passwordless MFA also represents a huge step forward toward Zero Trust security postures as defined by many industry mandates and standards.

Learn More

For more information about Passwordless MFAwatch this short video to learn how you can get started in about an hour. Or, run an ROI calculation to see how much you can save within the first year.


  • What is MD5 cryptographic hash function?

    MD5 is a cryptographic algorithm that takes an input of arbitrary length and produces a message digest that is 128 bits long. MD5 is used in many situations where a potentially long message needs to be processed and/or compared quickly. The most common application is the creation and verification of digital signatures.

    MD5 was designed by Ronald Rivest in 1991 (the R in RSA). In 2004, serious flaws were found in MD5, which meant its use has been deprecated.

  • What is a Rainbow Table?

    A rainbow table is a precomputed table for reversing cryptographic hash functions. They are used for cracking password hashes. Using a rainbow table requires less computer processing time and more storage than a brute-force attack which calculates a hash on every attempt. Salting the password hash renders the rainbow table attack infeasible.

  • What is Password Hash Salting?

    Password hash salting is when random data – a salt – is used as an additional input to a hash function that hashes a password. The goal of salting is to defend against dictionary attacks or attacks against hashed passwords using a rainbow table.

    To salt a password hash, a new salt is randomly generated for each password. The salt and the password are concatenated and then processed with a cryptographic hash function. The resulting output (but not the original password) is stored with the salt in a database.

    Since salts do not need to be memorized by humans they can make the size of the rainbow table required for a successful attack prohibitively large. Salts are different in each password which protects commonly used passwords and those used on multiple sites since all salted hash instances for the same password are different from each other.