Password Spraying
An attack that tries a small number of commonly used passwords against a large number of accounts to avoid triggering account-lockout controls.
Also known as: horizontal brute force
Last reviewed: 10 June 2026
Unlike brute-force attacks that try many passwords against one account (triggering lockouts), password spraying tries one or a few very common passwords — such as 'Password1!' or 'Summer2024' — against many accounts simultaneously. By staying below the lockout threshold per account, the attacker avoids detection and alerts.
This technique is particularly effective against corporate environments where password policies enforce complexity rules but do not prevent commonly chosen compliant passwords. It is often the first step in a broader attack, used to gain an initial foothold in a network.
Organisations should implement smart lockout policies that detect distributed spray patterns, enforce password screening against known common-password lists, and adopt passwordless or MFA authentication to render spraying ineffective.
Examples
- An attacker tries 'Winter2024!' against 50,000 corporate email accounts across a single day; enough succeed to provide initial access.
- A cloud identity service detects the same password being tried against thousands of accounts and triggers alerts despite no single account hitting the lockout threshold.