Skip to main content

Password Spraying - Low-and-Slow Account Attacks

About 2 min read

A password spraying attack is a technique in which commonly used passwords such as "123456" or "Password1" are tried against a large number of accounts, a few attempts at a time. By limiting the number of attempts against any single account, it avoids account lockout and becomes harder to detect. It is frequently observed in attacks against Microsoft 365 and Azure AD (now Entra ID), and in 2024 password spraying by state-sponsored attack groups was confirmed at several major technology companies.

Real-World Use Cases

"When we analyzed the Azure AD sign-in logs, we detected login attempts using the same password 'Company2024!' against more than 200 accounts. Each account was tried only once and no lockout occurred, so we have determined this to be a password spraying attack."

Attack Pattern Diagram

Attacker: selects one commonly used password
Try against account A
Try against account B
Try against account C
Only once per account → avoids lockout
Wait a while, then retry with the next password

The Difference from a Brute-Force Attack

Whereas a brute-force attack tries a huge number of passwords against a single account, password spraying tries a single password against many accounts. Brute force can be easily detected and defended against with account lockout, but because password spraying makes only one or two attempts per account, it never reaches the lockout threshold. It also differs from credential stuffing: rather than using a leaked password list, it uses statistically common shared passwords.introductory books on authentication security (Amazon) provide a systematic way to learn.

Countermeasures

The most effective defense is to use a long, random password generated by a tool like passtsuku.com, eliminating the simple passwords that appear in common password lists. At the organizational level, company-wide adoption of multi-factor authentication (MFA) is a decisive countermeasure. Azure AD smart lockout and detection of anomalous patterns in authentication logs (the same password failing across many accounts in a short period) are also effective. See also the details of password spraying attacks.books on account protection (Amazon) are also helpful references.

Related Terms

Was this article helpful?

XHatena