Classic brute force is loud and self-defeating. Throw a thousand guesses at one account and you trip the lockout after five. Rate limits notice. Alerts fire. The attack collapses under its own volume. Decades of defensive engineering — failed-attempt counters, exponential backoff, CAPTCHAs — are tuned to exactly this shape of attack.
Password spraying refuses to play along. Instead of many passwords against one account, the attacker picks one highly probable password and tries it once against a long list of usernames. Then they wait, pick a second password, and sweep the list again. From any single account's perspective, there was exactly one failed login this hour — utterly unremarkable. From the directory's perspective, someone just tested a popular password against ten thousand people, and statistics guarantee that a handful of them chose it.
Why it works on the math
Human password choice is not uniform. In any large population, a small set of passwords accounts for a disproportionate share of accounts — seasonal patterns like Spring2026!, the company name plus a year, or the perennial Password1 that satisfies a "must contain a number and capital" rule while defeating its purpose. An attacker doesn't need to guess your password. They need any one of the few thousand accounts where someone picked the obvious thing.
Lockout policies count failures per account. Password spraying generates one failure per account per round, so it never crosses the threshold. The signal only appears if you count failures per password or per source across the whole directory — a view most systems don't compute by default.
Spraying vs. stuffing vs. brute force
These three get blurred together constantly, but they have different inputs and different tells.
| Attack | Input the attacker brings | Telltale |
|---|---|---|
| Brute force | Nothing — generates passwords on the fly | Many failures on one account |
| Credential stuffing | Leaked email:password pairs from other breaches |
High success rate, scattered accounts, password reuse |
| Password spraying | A short list of common passwords + a username list | One password tried across many accounts |
Credential stuffing exploits reuse across sites; spraying exploits predictability within one site. Both are forms of the broader problem we cover in account takeover attacks, and both lean on the same human tendency to pick memorable secrets.
Where attackers point it
Spraying favors targets that expose a single sign-on surface to many accounts at once. Cloud identity portals, webmail, VPN gateways, and remote-access endpoints are perennial favorites — one front door, an entire organization behind it. Attackers enumerate usernames first (corporate naming conventions like first.last make this trivial), then spray slowly enough to stay under any per-account radar.
The good operators run it "low and slow": a few attempts per account per day, rotated across many source IP addresses so no single origin stands out, sometimes spread over weeks. This patience is what makes spraying a favored opening move for sophisticated intrusions, not just opportunistic spam.
A password that one person in ten thousand would choose is, at the scale of a corporate directory, a password that several people definitely chose. Spraying doesn't beat strong passwords — it harvests the weak ones that policy quietly permitted.
Defending against it
Because spraying sidesteps per-account lockout, the defenses that matter are the ones that change the economics or the detection surface.
Make stolen passwords useless
The single highest-impact control is phishing-resistant multi-factor authentication. A sprayed password that lands on a valid account still can't complete a login without the second factor. Hardware security keys and passkeys raise this bar furthest, because there is no shared secret to spray toward in the first place — we compare the options in our piece on two-factor authentication types.
Eliminate the sprayable passwords
- Screen against breached and common-password lists. Modern guidance (including NIST SP 800-63B) favors blocking known-bad and commonly-chosen passwords over forcing arbitrary complexity rules — which just push users toward predictable patterns. Our explainer on breach checking with k-anonymity covers how this is done without exposing the password itself.
- Ban the obvious local patterns — the company name, the current season and year, the product name.
Change what you measure
- Detect per-password, per-source. Alert when one password fails across many distinct accounts, or when one source IP touches an unusual number of accounts — the signal lockout counters miss entirely.
- Watch authentication geography and timing for the slow, distributed sweep pattern.
- Use risk-based / conditional access to step up verification when a login looks anomalous, even if the password was correct.
The takeaway
Password spraying is a lesson in how a defense can be perfectly effective against the threat it was designed for and completely blind to the threat that simply turned the problem sideways. Lockout policies aren't wrong — they're just aimed at the wrong axis. The durable fix isn't a better counter; it's removing the shared secret from the critical path entirely, with MFA today and passkeys tomorrow, while measuring authentication failures across the whole population rather than one account at a time.