Password spraying

The most sophisticated hacking operations often use surprisingly simple methods to gain access to major targets. Bad password hygiene is the most common culprit in a cyber incident. 

The practice of password spraying got some much needed attention recently during a Senate hearing about the SolarWinds hack, which compromised the United States Treasury, Commerce, State, Energy, and Homeland Security departments, and a host of well known companies including Intel, Nvidia, Cisco, and VMWare. 

Password spraying is a simple and effective exploit that compromises credentials by using well-known or commonly used passwords, e.g. “Password,” “password123,” “qwerty,” or deploys passwords that might be likely in a particular area (e.g., steelers1! in the Pittsburgh area.) 

A hacker using password spraying will attempt to log in to several accounts within a network, often thousands at a time, until it finds one that uses this successfully. 

Unlike brute force attacks–where a long list of random passwords are tried against a single account and credential stuffing where login/password combinations from previous data breaches are tried to access an account–password spraying takes a shotgun approach. 

Password spraying has an advantage over other forms of authentication attacks because it is less likely to trigger security software and firewalls programmed to lock accounts after a set number of failed login attempts. By trying one weak password against several accounts, the attempted hack is more likely to go unnoticed than an attack on a single account or a handful of accounts.


  • Password spraying is predictive, and targets bad password hygiene. 
  • Password spraying may have been used in the SolarWinds attacks.
  • Authentication attacks like password spraying and credential stuffing can be rendered ineffective by using strong, unique passwords and enabling multi-factor authentication on accounts.
  • Requiring strong passwords at the administrative level and blocking widely known, easily guessed login/password combinations will help protect against the password spraying approach.