Password spraying is an attack where an attacker tries a small set of common passwords across many accounts, instead of trying many passwords against one account.
Spraying is designed to avoid lockouts and blend into normal authentication noise.
Why it matters for account recovery
Spraying matters for recovery in organizational environments because it often targets email and single sign-on accounts. One successful login can become a broad incident.
Common failure modes and misconceptions
- Weak password policies: Common or predictable passwords make spraying cheap and quiet.
- No monitoring for failed sign-ins: Spraying shows up as many low-rate failures across many accounts.
- Over-reliance on lockouts: Lockouts help, but spraying is adapted to avoid triggering them.
Safe best practices
- Enforce strong passwords and remove legacy authentication where possible.
- Require strong MFA for email and SSO accounts (see 2FA).
- Monitor failed sign-ins and anomalous geographies across many accounts, not only one account.
Related terms
Related guides
Password spraying is successful when authentication is treated as an individual problem. Defenses work best when policies and detection are centralized.