Skip Navigation

May 28, 2024 |

Password spraying: Tips for detection and prevention

Loading table of contents...

The average person has nearly 100 passwords to remember. Unfortunately, that's exactly why many reuse the same passwords across multiple accounts, which ultimately leaves those accounts more vulnerable to compromise.

From password spraying to credential stuffing, cybercriminals are constantly trying to crack passwords to gain initial access to user accounts, where they can then exfiltrate data, redirect financial transactions, or move laterally to other areas of the threat surface.

When they succeed in breaching a company’s accounts, they can cause millions in damages. Take the SolarWinds hack, for example, which allegedly stemmed from an intern using “solarwinds123” as a password and then sharing those credentials internally.

The good news is anyone can protect themselves from these attacks with a few simple actions. This article will help you get started. Keep reading to learn more about password spraying attacks and to find actionable tips for detecting and preventing them.

The password problem

We’ve relied on passwords to keep hackers out of our accounts for decades. When done right, they can still do that relatively effectively. But the average person simply has too many accounts to keep track of, which means we use predictable, easy-to-remember passwords like a pet’s name instead of something more complicated or obscure.

At the same time, attackers’ capabilities and tools have evolved significantly from the early days of the internet. Modern computers are incredibly fast at guessing credentials and hackers use this technology and automation to attack databases and online accounts. They’ve even mastered the specific techniques and strategies that yield the most success.

So, we have people using passwords that are simpler than they should be, while tactics for guessing them become increasingly advanced. This is largely why passwords have become more of a cybersecurity problem than the solution they were meant to be.

Password spraying & similar attacks

The first step in solving the password problem is familiarizing yourself with how hackers target accounts with weak credentials. When you know the various risks in advance, it becomes much easier to prepare for them.

With that in mind, here are some of the most common password-based cyberattacks today.

Brute force attacks

Brute force may be the easiest tactic cybercriminals try when attempting to access a site or server. It involves using a trial-and-error method with various usernames and passwords until they find the right combination.

Attackers use this method to target a single account. They often find a username online somewhere and try as many password combinations as they can to try to gain access. These attacks are often supported by automation. For example, credential stuffing is a type of brute force attack that uses automated tooling to test passwords and usernames across multiple sites.


State of cybersecurity

The main cyberattacks you need to know this year and beyond.

Download now


Account lockout policies are the best way to defend against brute-force attacks. They lock the account down after several failed login attempts (often three or five). Microsoft explains that “limiting the number of failed sign-ins that can be performed nearly eliminates the effectiveness of such attacks.”

Dictionary attack

Dictionary attacks are technically a type of brute force attack, but they’re a bit more sophisticated. They try to take advantage of our tendency to use simple one-word passwords.

Hackers have created so-called “cracking dictionaries," which feature the dictionary words that are most commonly used as passwords. A cybercriminal will work through a cracking dictionary—often using automation or other tools—until lucking out and accurately guessing an account’s password.

Personalized dictionary attacks can be even more effective, although more time-consuming. They focus on words that are meaningful to one user specifically instead of everyone—a birthplace, child’s name, or pet’s name, among other options.

Key logger or keystroke attacks

Key logger attacks are more sophisticated. They involve using a program to record a user’s keystrokes. This allows the hacker to access any account the victim uses while the key logger program is active.

To perform a keystroke attack, a cybercriminal must first convince an unsuspecting user to download the malicious software. This is often done through phishing attacks, which involve sending emails that appear to be from reputable sources but contain links or files that automatically download malware on the user’s device.

Password-spraying attacks

Finally, there are password-spraying attacks. These are high-volume attacks in which a hacker takes a common password and uses it to try to log into as many different accounts as they can.

Password spraying uses the opposite technique of brute force attack. It cycles through usernames, using the same password until finding a match.

For cybercriminals, one of the key advantages of password-spraying attacks is they don’t trigger account lockouts. This allows hackers to continue targeting up to every account on a network until they find one using the password they’ve singled out.

These attacks are easier to execute than they might sound. Here’s how:

1. Gather a list of usernames

It’s not hard for cybercriminals to find a list of usernames. Most companies use common conventions for all of their accounts. Firstname.lastname@company.com or each employee’s first initial followed by their last name are two common approaches.

A would-be hacker only needs to find one person’s email address. From there, they can take a quick look at LinkedIn or an official employee directory, and copy the pattern of that first address to guess other usernames in your system. 

2. Get a list of passwords

This is even easier than step one. Here’s a list of common passwords from last year. Here’s another list. And another.

If an attacker is really motivated, they can use unique factors like your company’s geographic location to guess more unique passwords. For example, passwords using the words blue jays or the word leafs may be more common among Toronto-based businesses.

3. Find a combination that works

Now all the hacker has to do is pick a password and try it with all the accounts collected in step one. If the first one doesn’t work, they’ll simply move on to the next, again and again, for as long as they stay motivated.

Attackers need only a single successful combination to access an account. They often use that initial access to lay low, learn about your company and the working relationships within it, and eventually launch more sophisticated attacks.

Warning signs of a password spraying attack

You'll want to consider all types of password-based cyberattacks as you work on your defenses. But password-spraying attacks may be one of the more difficult to defend against since they don’t often trigger account lockout alerts.

That’s why it’s important to familiarize yourself with the three key signs of a password-spraying attack in progress:

  • An unusually high amount of login activity within a short period
  • Unusual login attempts from previously inactive (or even nonexistent) accounts
  • A sharp spike in the number of failed login attempts from active users

Expert-recommended best practices to keep your business safer.

Download the Cybersecurity 101 eBook to uncover the biggest threats to your business and five best practices to enhance your cybersecurity.

Download the eBook


If you’ve noticed any of these signs recently, it may be an indication that your company was the target of a password-spraying attack. So let’s learn how to defend your business from similar attacks in the future.

Protecting against password spraying

We recommend the following best practices to keep your private networks and users safe from spraying attacks.

Use a password manager

Generally speaking, the only way a password-spraying attack can work is if a person uses a simple, easily guessed password. And it happens all the time—it’s unrealistic to expect humans to remember 100 distinct passwords. We'd be locking ourselves out of accounts constantly while trying to recall which password we used for what platform. 

So, what’s the solution? A password manager. These generate, manage, and store as many unique credentials as you need. They can even create long, complex combinations of letters and numbers to suggest passwords that would be extremely difficult for a malicious person to guess.

The best part is you don’t have to remember any of these passwords yourself. The tool stores them for you, so as long as you remember the password to your password manager, you stay protected and can access all of your accounts.

Quick tip: Putting all your details into a password manager can be time-consuming, especially if you need to go back and change passwords to something stronger. So, set aside an afternoon for some digital spring cleaning. Import your credentials to a password manager, strengthen existing passwords, and delete old accounts you don’t use. Then let the password manager do its job for these accounts and any new ones you may create.

Add more layers of authentication

Multi-factor authentication (MFA) is another highly recommended best practice every employee should follow. MFA provides an extra layer of security. Even if someone guesses your password, they still need another form of approval before accessing the account.

There are three main forms of MFA:

  • Passwords, passphrases, or personal identification numbers (that exist on top of traditional passwords)
  • Hard tokens like USB keys or soft tokens like text messages and codes from authenticator apps
  • A unique biometric characteristic, such as a fingerprint or face ID scan

Research shows that MFA can prevent up to 99.9% of automated cyberattacks and 75% of targeted attacks. Making this one change to your accounts could be all it takes to keep you safe from password-spraying attempts.

Create robust lockout policies

When someone enters their password incorrectly too many times, they should be locked out of their account. Without such a policy, you essentially allow hackers to use unlimited password combinations to breach your accounts.

But the key is finding a balance. After all, locking legitimate users out of their accounts if they make a simple mistake while typing in their password just creates more work. That’s why many companies allow between three and five incorrect password attempts before locking an account.

On a similar note, you should also have clear policies employees can use to regain access to locked accounts. The process shouldn’t be so complicated that it disrupts productivity by keeping valid users out of their accounts for too long.

Follow the principle of least privilege

Many security experts recommend companies adopt the principle of least privilege in the workplace. This approach gives employees access to only the private networks and databases they need to do their jobs.

Instead of giving all employees access to everything by default, employees on different teams will have access to different systems based on the work they do.


Employee handbook

Your employees are your first line of defense. Set them up for success with the 2024 Employee Cybersecurity Handbook.

Download now


The principle of least privilege approach is significantly more secure than the alternative. In the event of a breach, the hacker will gain access to what the compromised employee could access instead of all of your company’s private systems, effectively limiting the attacker's impact.

Set up a monitoring tool

Password-spraying attacks leave clear traces. But you won’t be able to spot these signs to stop a potential attack unless you have clear visibility of your entire threat surface—cloud accounts included. Find a cybersecurity solution that monitors your networks 24/7, identifies unusual login activity, and either responds automatically or notifies you of the event.

Field Effect MDR goes steps beyond this by providing access to a team of security experts who can help you respond to whatever you face. Field Effect MDR protects your network, endpoints, and the cloud-based services used by most businesses today, including Microsoft 365, Amazon Web Services, Dropbox, and Google Workspace. 

Get in touch if you’d like to learn more.

The final word on password-based attacks

At the end of the day, following password best practices is an individual’s responsibility—not the burden of a manager or IT team. That’s why your company’s best defense against password-based attacks may be ensuring employees are on board with your efforts.

You can get them started on that journey by sharing our Employee Cybersecurity Handbook for 2024. It uses plain language to help employees understand the best practices for passwords and other forms of security that can help keep your company safer from would-be hackers.