Password Spraying:How It Works & How to Prevent It
Winter2026!) against many different accounts, instead of many passwords against one account. Spreading the attempts across accounts keeps each account below the lockout threshold, so it slips past defences that only count failures per account. The defences are global rate limiting, breached-password blocking, MFA, and monitoring for a high number of failed logins spread across many usernames.Most authentication defences are built to stop an attacker guessing many passwords against a single account: that is what account lockout and per-account rate limiting are designed for. Password spraying inverts the attack to sidestep exactly those controls. It is quiet, it is effective against large user bases, and it is one of the most common techniques behind real-world account takeover. This guide explains how it works, how it differs from brute force and credential stuffing, and how to defend against it. It is a companion to our guides on brute force attacks and credential stuffing.
What Is a Password Spraying Attack?
Password spraying is a form of brute force attack where the attacker picks a small number of common passwords and tries each one against a large list of usernames. The key difference from classic brute force is direction: instead of hammering one account with thousands of guesses, the attacker sends one guess to thousands of accounts, waits, and tries the next password. Because each individual account only sees one or two failed attempts, the attack stays under per-account lockout thresholds and looks like scattered background noise.
The attack succeeds on probability. If even 1% of a company's 10,000 users chose Company@2026, a single spray of that one password against every username yields around 100 valid logins. Attackers build their password list from seasonal patterns, company names, and known-common passwords: Password1, Spring2026!, the local sports team, and so on.
# Classic brute force: many passwords, ONE account
alice : password1
alice : password2
alice : password3 -> account locks after N tries
# Password spraying: ONE password, MANY accounts
alice : Winter2026!
bob : Winter2026!
carol : Winter2026! -> each account sees only 1 failure
How Is Password Spraying Different From Brute Force and Credential Stuffing?
All three are automated authentication attacks, and attackers often chain them together. The difference is what they try and how they spread the attempts.
| Attack | What It Tries | Spread | Evades Account Lockout? |
|---|---|---|---|
| Password Spraying | A few common passwords guessed against many accounts | One password across many usernames, low and slow | Yes: each account sees very few failures |
| Brute Force | Many passwords against one account | High volume against a single account | No: triggers per-account lockout quickly |
| Credential Stuffing | Real leaked username and password pairs | One attempt per stolen pair | Often: usually one attempt per account |
The practical takeaway: account lockout alone stops classic brute force but does little against spraying or stuffing, because those attacks never make enough attempts against any one account to trip it. That is why the defences below lean on global and per-IP controls, not just per-account ones. For the full picture on those controls, see Rate Limiting and Account Lockout.
Why Do Password Spraying Attacks Succeed?
- Predictable passwords are everywhere. In any large user base, a meaningful fraction will choose a password that matches a common seasonal or company-themed pattern, which is exactly what attackers spray.
- Per-account lockout is the only control in place. Many applications count failures per account and nothing else, so an attack spread thinly across thousands of accounts never triggers a single lockout.
- No global rate limiting. Without a limit on total failed logins across the whole application, 5,000 failures spread across 5,000 accounts looks the same as normal traffic.
- Single sign-on multiplies the payoff. One sprayed password that hits an SSO or Microsoft 365 account can unlock email, files, and dozens of connected apps at once.
- Legacy and non-interactive endpoints. Older protocols (IMAP, SMTP, legacy auth) and API endpoints often bypass MFA and modern lockout, giving attackers a softer target to spray.
How Do You Detect Password Spraying?
Spraying is invisible if you only watch individual accounts. The signal appears when you aggregate failed logins across the whole application over time.
- A spike in the total number of failed logins across many distinct usernames in a short window, even though no single account has many failures
- A large number of accounts each seeing exactly one or two failed attempts from the same IP address or subnet
- Failed logins arriving at a steady, machine-like cadence rather than in the irregular bursts real users produce
- Authentication attempts against dormant or non-existent usernames, which real users would not generate
- Failures concentrated on legacy endpoints or protocols that do not enforce MFA
# Spraying signal: one IP, one password window,
# MANY distinct usernames, ~1 failure each
SELECT src_ip, COUNT(DISTINCT username) AS accounts_tried
FROM auth_failures
WHERE ts > now() - interval '15 minutes'
GROUP BY src_ip
HAVING COUNT(DISTINCT username) > 25; -- alert threshold
How to Prevent Password Spraying: OWASP Checklist
- 1Enforce multi-factor authentication for all users. MFA is the single most effective control: a sprayed password alone is not enough to log in.
- 2Add global and per-IP rate limiting, not just per-account lockout. Cap the total failed logins the application will accept across all accounts in a time window.
- 3Block common and breached passwords at registration and password change using the HaveIBeenPwned Pwned Passwords API and a strength library such as zxcvbn.
- 4Ban predictable patterns: season plus year, company name plus digits, and keyboard walks like qwerty. These are exactly what spraying tries first.
- 5Disable legacy authentication protocols (IMAP, POP, legacy SMTP) that bypass MFA and modern lockout.
- 6Monitor for a high count of failed logins spread across many distinct usernames from one IP or subnet, and alert on it.
- 7Use CAPTCHA or a proof-of-work challenge on the login endpoint after unusual volumes of failures across accounts.
- 8Apply the same protections to password reset, SSO, and API login endpoints, which are common spraying targets.
Why Is MFA the Most Effective Defence Against Spraying?
Password spraying wins by finding the small percentage of users with a guessable password. Multi-factor authentication breaks that model completely: even when the attacker guesses the correct password, they still lack the second factor, so the login fails. Unlike lockout thresholds, which spraying is specifically designed to evade, MFA does not depend on counting failed attempts. It changes what a valid login requires.
MFA is not a reason to skip the other controls. Attackers respond to MFA by spraying legacy endpoints that do not enforce it, or by pairing spraying with MFA-fatigue push bombing. Combine MFA with global rate limiting, breached-password blocking, and legacy-protocol shutdown for defence in depth. To remove guessable passwords from the equation entirely, consider passwordless magic links.
What Does OWASP Say About Password Spraying?
OWASP treats password spraying as a variant of brute force and addresses it in the Authentication and Credential Stuffing Cheat Sheets and the ASVS 5.0 V2 controls. The core recommendations are to block breached and common passwords (V2.1.7), rate limit authentication endpoints (V2.2.1), log all authentication failures (V2.2.6), and offer multi-factor authentication (V2.2.3). OWASP specifically notes that per-account lockout is insufficient on its own because attacks like spraying and stuffing distribute attempts to stay beneath it, which is why application-wide monitoring and rate limiting are required.