Most people picture a password attack as a computer hammering one login box with millions of guesses. Password spraying is the opposite, and that is exactly what makes it dangerous. Instead of many guesses against one account, it uses one common password against many accounts - a quiet approach designed to slip straight past the defences built to stop ordinary guessing.
What password spraying actually is
In a password spraying attack, the attacker starts with a list of usernames or email addresses - often easy to gather because organisations use predictable formats like firstname.lastname@company.com. Then, instead of guessing many passwords for one person, they pick a single very common password, such as Password2026! or Company@123, and try it against every account on the list. If that one fails, they wait and try a second common password across everyone.
The trick is patience. Lockout policies usually lock an account after a handful of failed attempts. By trying only one or two passwords per account, spraying stays under that threshold on every single account, so nothing gets locked and few alarms fire. The attacker is betting that in a big enough group of people, at least one used that weak, obvious password. Usually, someone did.
How it differs from brute force and credential stuffing
These three attacks get mixed up constantly, but the difference is simple once you see the shape of each:
- Brute force - many passwords against one account. Loud, triggers lockouts, and beaten by a long random password.
- Password spraying - one password against many accounts. Quiet, avoids lockouts, and beaten by not using common passwords (plus MFA).
- Credential stuffing - real leaked username and password pairs replayed across sites. Exploits password reuse, and beaten by unique passwords per site.
The key insight: brute force is defeated by password strength, while spraying and stuffing are defeated by password uniqueness and unpredictability. A strong password you share with a common pattern still helps an attacker; a unique, random one does not.

Why it works, and where you see it
Password spraying thrives in two conditions: predictable usernames and at least one weak password in the crowd. Large organisations tick both boxes, which is why it is such a common technique against corporate logins - Microsoft 365, VPN gateways and single sign-on portals are frequent targets. Attackers, including well-resourced groups, like it because it is low-noise and scales: spray one password across thousands of accounts and the odds say a few will land.
It also relates directly to attacks we cover elsewhere. If you want the vertical version, see what a brute-force attack is; if you want the breach-replay version, see what credential stuffing is. Spraying sits between them: no breach data required, just weak passwords and a long list of names.
How to stop it
The good news is that the same small set of habits shuts spraying down:
- Turn on multi-factor authentication (MFA). This is the single biggest defence. Even if a sprayed password is correct, the login is stopped at the second factor. Password spraying campaigns overwhelmingly succeed against accounts without MFA.
- Use unique, non-common passwords. Spraying depends on people choosing passwords from a predictable list. A password manager generates long, random passwords that never appear on those lists, so there is nothing common to spray. This is where a manager earns its keep.
- For organisations: enable smart lockout that spots failed logins spread thinly across many accounts, block legacy authentication protocols that bypass MFA, and monitor for distributed login failures rather than only per-account ones.
Password spraying works by finding the one weak password in a crowd. The fix is to make sure there is no weak, common password to find - and to put MFA behind every login so that even a lucky guess goes nowhere.
★ Audit Cure53 2024 · ✓ Plan gratuit · Cross-platform
Lock down your accounts → NordPassStrong unique passwords · breach scanner · free tier→Frequently asked questions
What is password spraying?
Password spraying is an attack where a criminal takes one common password - like 'Password2026!' or 'Company@123' - and tries it against many different accounts, rather than trying many passwords against a single account. By attempting only one or two passwords per account, the attacker stays under the lockout threshold that would normally trigger after several failed logins, so the attack flies under the radar. It only takes one person in an organisation using that weak password for the attacker to get in.
How is password spraying different from brute force?
Brute force works vertically: many password guesses against one account, until something works. That is why it triggers account lockouts and is beaten by a long, random password. Password spraying works horizontally: one password against many accounts. Because each account sees only a couple of attempts, it avoids lockouts entirely. Strength alone does not save an organisation from spraying - it only takes one user with a weak, common password for the whole login attempt to succeed.
How is password spraying different from credential stuffing?
Credential stuffing replays real username and password pairs that were already leaked in a previous data breach, betting on password reuse. Password spraying does not need any breached data - it just pairs a list of usernames or emails (often easy to guess or public) with a handful of very common passwords. Stuffing exploits reuse; spraying exploits weak, predictable passwords. Both are defeated by the same two things: unique passwords and multi-factor authentication.
Where is password spraying used?
It is a common technique against organisations, especially cloud and remote-access logins like Microsoft 365, VPN portals and single sign-on. Attackers, including some well-resourced groups, favour it because it is quiet and effective at scale: spray one common password across thousands of corporate accounts and a few will match. It also shows up against any large login surface where usernames follow a predictable pattern such as firstname.lastname.
How do I protect against password spraying?
Two defences do most of the work. First, multi-factor authentication (MFA): even if the sprayed password is correct, the attacker is stopped at the second factor. Second, unique, non-common passwords - a password manager generates long random ones that never appear on the common-password lists spraying relies on. For organisations, add smart lockout that detects failed logins spread across many accounts, block legacy authentication protocols that bypass MFA, and monitor for distributed login failures.


