Unlike dictionary attacks that hammer a single user with dozens of password guesses, password spraying spreads just one or two common passwords across hundreds or thousands of accounts.
For example, an attacker might try Spring2024! or Welcome1 across a company’s employee directory. Because each account only sees one or two failed attempts, lockout protections don’t get triggered, and the attacker avoids detection.
The process is low and slow, but effective, especially against organizations with weak password hygiene and no MFA enforcement. Here’s more…
Why Password Spraying Works
Most organizations have account lockout rules to stop brute-force attacks. But those rules are usually based on failed attempts per user, not per IP or system-wide. That’s exactly what password spraying exploits. Even just one weak password reused by a user can give attackers the foothold they need.
Their success shows that password spraying isn’t just an opportunistic script-kiddie tactic—it’s part of the standard toolkit for high-impact, organized groups.
Large-scale campaigns, like the UNK_SneakyStrike attack on over 80,000 Microsoft Entra accounts, rely precisely on password spraying: a few guesses per user across many accounts, routed through multiple AWS regions to avoid detection.
How to Defend Against Password Spraying
Password spraying is effective because it’s subtle. Stopping it requires taking away the attacker’s advantages, namely, weak passwords and inconsistent detection mechanisms.
Here’s what works:
Enforce Strong Password Policies: Require complex, unique passwords. Disallow passwords found in breach databases or those on the “most common” lists.
Enable Multi-Factor Authentication (MFA): Even if a password is guessed, MFA prevents unauthorized access.
Monitor for Unusual Login Patterns: Look for many failed login attempts spread across different accounts from the same IP address or region.
Apply Smart Lockout Policies: Don’t rely solely on per-user lockouts. Consider IP-based rate limiting or device fingerprinting.
Use Identity Providers with Anomaly Detection: Platforms like Okta, Azure AD, or Duo can flag suspicious login behavior, such as logins from unusual locations or impossible travel scenarios.
Organizations need to know which credentials are already compromised. The Bolster Insights Dashboard provides users with an easy-to-access view of credentials exposed on the dark web (no manual analysis required). Organizations gain visibility into specific exposed passwords, the Bolster-identified source of the breach, and receive actionable remediation guidance along with predicted risk levels. Learn more about dark web monitoring.
Reduce Your Exposure
Password spraying thrives on the assumption that at least one user in your environment is using a weak or reused password. For attackers, that’s all it takes. And because these attempts often blend into normal login traffic, they’re easy to miss—until it’s too late.
Stopping this type of attack doesn’t require advanced tools. It requires discipline: enforce strong passwords, require MFA, and monitor for patterns that most systems overlook. The earlier you catch it, the less damage you’ll have to contain.
How Bolster can help
Bolster offers an extensive monitoring capability that helps detect password spraying and many other threats to your IT security, eliminating the need for trust & safety professionals to spend hours researching, analyzing, and documenting issues.
Bolster is disrupting the legacy manual efforts associated with protecting enterprise external attack surfaces by incorporating state-of-the-art technology to fully automate the detection, analysis, and rapid removal of fraudulent sites and content. To learn more, contact us for a demo.
