RestingOwl owl logo RestingOwl

Password Spraying:How It Works & How to Prevent It

Quick Answer: Password spraying is a brute force attack that tries one common password (like Winter2026!) against many different accounts, instead of many passwords against one account. Spreading the attempts across accounts keeps each account below the lockout threshold, so it slips past defences that only count failures per account. The defences are global rate limiting, breached-password blocking, MFA, and monitoring for a high number of failed logins spread across many usernames.

Most authentication defences are built to stop an attacker guessing many passwords against a single account: that is what account lockout and per-account rate limiting are designed for. Password spraying inverts the attack to sidestep exactly those controls. It is quiet, it is effective against large user bases, and it is one of the most common techniques behind real-world account takeover. This guide explains how it works, how it differs from brute force and credential stuffing, and how to defend against it. It is a companion to our guides on brute force attacks and credential stuffing.

What Is a Password Spraying Attack?

Password spraying is a form of brute force attack where the attacker picks a small number of common passwords and tries each one against a large list of usernames. The key difference from classic brute force is direction: instead of hammering one account with thousands of guesses, the attacker sends one guess to thousands of accounts, waits, and tries the next password. Because each individual account only sees one or two failed attempts, the attack stays under per-account lockout thresholds and looks like scattered background noise.

The attack succeeds on probability. If even 1% of a company's 10,000 users chose Company@2026, a single spray of that one password against every username yields around 100 valid logins. Attackers build their password list from seasonal patterns, company names, and known-common passwords: Password1, Spring2026!, the local sports team, and so on.

# Classic brute force: many passwords, ONE account
alice : password1
alice : password2
alice : password3   -> account locks after N tries

# Password spraying: ONE password, MANY accounts
alice   : Winter2026!
bob     : Winter2026!
carol   : Winter2026!   -> each account sees only 1 failure

How Is Password Spraying Different From Brute Force and Credential Stuffing?

All three are automated authentication attacks, and attackers often chain them together. The difference is what they try and how they spread the attempts.

AttackWhat It TriesSpreadEvades Account Lockout?
Password SprayingA few common passwords guessed against many accountsOne password across many usernames, low and slowYes: each account sees very few failures
Brute ForceMany passwords against one accountHigh volume against a single accountNo: triggers per-account lockout quickly
Credential StuffingReal leaked username and password pairsOne attempt per stolen pairOften: usually one attempt per account

The practical takeaway: account lockout alone stops classic brute force but does little against spraying or stuffing, because those attacks never make enough attempts against any one account to trip it. That is why the defences below lean on global and per-IP controls, not just per-account ones. For the full picture on those controls, see Rate Limiting and Account Lockout.

Why Do Password Spraying Attacks Succeed?

  • Predictable passwords are everywhere. In any large user base, a meaningful fraction will choose a password that matches a common seasonal or company-themed pattern, which is exactly what attackers spray.
  • Per-account lockout is the only control in place. Many applications count failures per account and nothing else, so an attack spread thinly across thousands of accounts never triggers a single lockout.
  • No global rate limiting. Without a limit on total failed logins across the whole application, 5,000 failures spread across 5,000 accounts looks the same as normal traffic.
  • Single sign-on multiplies the payoff. One sprayed password that hits an SSO or Microsoft 365 account can unlock email, files, and dozens of connected apps at once.
  • Legacy and non-interactive endpoints. Older protocols (IMAP, SMTP, legacy auth) and API endpoints often bypass MFA and modern lockout, giving attackers a softer target to spray.

How Do You Detect Password Spraying?

Spraying is invisible if you only watch individual accounts. The signal appears when you aggregate failed logins across the whole application over time.

  • A spike in the total number of failed logins across many distinct usernames in a short window, even though no single account has many failures
  • A large number of accounts each seeing exactly one or two failed attempts from the same IP address or subnet
  • Failed logins arriving at a steady, machine-like cadence rather than in the irregular bursts real users produce
  • Authentication attempts against dormant or non-existent usernames, which real users would not generate
  • Failures concentrated on legacy endpoints or protocols that do not enforce MFA

# Spraying signal: one IP, one password window,
# MANY distinct usernames, ~1 failure each
SELECT src_ip, COUNT(DISTINCT username) AS accounts_tried
FROM auth_failures
WHERE ts > now() - interval '15 minutes'
GROUP BY src_ip
HAVING COUNT(DISTINCT username) > 25;   -- alert threshold

How to Prevent Password Spraying: OWASP Checklist

Password Spraying Prevention Checklist
  1. 1Enforce multi-factor authentication for all users. MFA is the single most effective control: a sprayed password alone is not enough to log in.
  2. 2Add global and per-IP rate limiting, not just per-account lockout. Cap the total failed logins the application will accept across all accounts in a time window.
  3. 3Block common and breached passwords at registration and password change using the HaveIBeenPwned Pwned Passwords API and a strength library such as zxcvbn.
  4. 4Ban predictable patterns: season plus year, company name plus digits, and keyboard walks like qwerty. These are exactly what spraying tries first.
  5. 5Disable legacy authentication protocols (IMAP, POP, legacy SMTP) that bypass MFA and modern lockout.
  6. 6Monitor for a high count of failed logins spread across many distinct usernames from one IP or subnet, and alert on it.
  7. 7Use CAPTCHA or a proof-of-work challenge on the login endpoint after unusual volumes of failures across accounts.
  8. 8Apply the same protections to password reset, SSO, and API login endpoints, which are common spraying targets.

Why Is MFA the Most Effective Defence Against Spraying?

Password spraying wins by finding the small percentage of users with a guessable password. Multi-factor authentication breaks that model completely: even when the attacker guesses the correct password, they still lack the second factor, so the login fails. Unlike lockout thresholds, which spraying is specifically designed to evade, MFA does not depend on counting failed attempts. It changes what a valid login requires.

MFA is not a reason to skip the other controls. Attackers respond to MFA by spraying legacy endpoints that do not enforce it, or by pairing spraying with MFA-fatigue push bombing. Combine MFA with global rate limiting, breached-password blocking, and legacy-protocol shutdown for defence in depth. To remove guessable passwords from the equation entirely, consider passwordless magic links.

What Does OWASP Say About Password Spraying?

OWASP treats password spraying as a variant of brute force and addresses it in the Authentication and Credential Stuffing Cheat Sheets and the ASVS 5.0 V2 controls. The core recommendations are to block breached and common passwords (V2.1.7), rate limit authentication endpoints (V2.2.1), log all authentication failures (V2.2.6), and offer multi-factor authentication (V2.2.3). OWASP specifically notes that per-account lockout is insufficient on its own because attacks like spraying and stuffing distribute attempts to stay beneath it, which is why application-wide monitoring and rate limiting are required.

Related reading: Spraying, brute force, and credential stuffing share the same defences. Read brute force attack prevention, credential stuffing prevention, and rate limiting and account lockout for the complete authentication defence picture. OwlAuth ships breached-password blocking and failed-attempt tracking out of the box.

References

  1. 1OWASP Authentication Cheat Sheet
  2. 2OWASP Credential Stuffing Prevention Cheat Sheet
  3. 3MITRE ATT&CK: Password Spraying (T1110.003)

Q&A Section

Password spraying is when an attacker takes one common password and tries it against a large list of usernames, then moves on to the next common password. Because each account only gets one or two guesses, the attack stays under account lockout limits that would stop a normal brute force attack. It works because in any large group of users, some will have chosen a predictable password like Winter2026! or Company@2026.
Classic brute force targets one account with many password guesses, which quickly triggers account lockout. Password spraying targets many accounts with a few common passwords, so each account sees very few failures and lockout never triggers. Spraying trades depth for breadth specifically to evade per-account defences, which is why stopping it requires global and per-IP rate limiting rather than lockout alone.
Not on its own. Account lockout counts failed attempts per account and locks that account after a threshold. Password spraying is designed to stay below that threshold by spreading a single password across thousands of accounts. To stop spraying you need application-wide controls: global rate limiting on total failed logins, per-IP limits, monitoring for many distinct usernames failing from one source, and multi-factor authentication.
Look at failed logins in aggregate rather than per account. The signature of spraying is a large number of distinct usernames each failing once or twice, often from the same IP address or subnet, arriving at a steady automated cadence. Attempts against dormant or non-existent accounts and failures concentrated on legacy endpoints that bypass MFA are also strong indicators.
MFA is the most effective single defence because a guessed password alone cannot complete the login, but it is not a complete solution by itself. Attackers respond by spraying legacy protocols that bypass MFA or by combining spraying with MFA-fatigue push notifications. Enforce MFA everywhere, disable legacy authentication, block breached passwords, and add global rate limiting so the controls reinforce each other.
Copied!