Skip to content
NeoGuard

Password Spray

An automated attack where attackers try a small number of very common passwords against many email addresses or usernames, looking for accounts with weak or predictable passwords without triggering per-account lockouts.

Password spray (also password spraying) is an automated attack where attackers test a small set of very common passwords against a large list of email addresses or usernames. Unlike classic brute-force attacks, which try many passwords against a single account, password spray inverts the logic: one password, many accounts. This sidesteps most lockout mechanisms, which trigger after a number of failed attempts per account.

How It Works

  1. Attackers obtain a list of valid usernames or email addresses (often from prior breaches, OSINT, or predictable address conventions like [email protected])
  2. They pick a few common or context-relevant passwords (Welcome1, Summer2026!, Company2025!, or default passwords from onboarding processes)
  3. Each account is tried with only one or two passwords (low-and-slow), often spread over hours or days
  4. Hits are used for account takeover, lateral movement, or follow-on attacks

Why Password Spray Works

Success rates are typically 1% to 5% per spray campaign. In a large organization, that’s enough to compromise several accounts. The attack does not target specific people; it targets the statistical predictability of human password choices. Seasonal patterns (Spring2026!), company names (MyCompanyInc2025), and default onboarding passwords are particularly vulnerable.

Example: Midnight Blizzard 2024

A documented example is Midnight Blizzard, the state-sponsored actor that breached Microsoft corporate accounts in early 2024 via a password spray against a legacy test account without MFA enabled, reaching senior leadership and security team mailboxes. Microsoft described the method as low-and-slow with targeted account selection, designed to stay below detection thresholds.

Protection

  • Unique, random passwords per account. A password manager generates passwords no spray attack can hit, because they don’t sit in the distribution of common human-chosen passwords.
  • 2FA on important accounts. Even when a password is guessed, a second factor blocks the login. Hardware keys and TOTP apps are more robust than SMS codes.
  • Lockout and anomaly detection. Provider-side, smart login limits that consider source IP and time window (not just per-account count) reduce password spray effectiveness.
  • Conditional access and risk-based auth. Identity providers like Entra ID, Okta, or Google Workspace can add friction for sign-ins from unusual countries or devices.

Password Spray vs. Credential Stuffing

  • Credential stuffing: Real username/password pairs from a breach are tested against many services. Succeeds when you reuse passwords.
  • Password spray: A few common passwords are tested against many accounts. Succeeds when your password is predictable.

Both attacks are defeated by the same tool: a unique, random password per service.

Related Terms

Credential StuffingPassword Manager2FA (Two-Factor Authentication)Phishing