A Quiet Brute Force
Password spraying flips the usual brute force around. Instead of guessing many passwords for one account, the attacker tries one common password across many accounts, then waits before trying the next. This avoids tripping per account lockouts.
Why It Evades Defenses
- Lockout policies count failures per account, so one attempt each looks normal.
- Slow timing keeps the attacker under simple alerting thresholds.
- Reused weak passwords mean a single guess often unlocks several accounts.
Defenses
- Enforce multi factor authentication so a guessed password is not enough.
- Detect spraying by watching for many accounts failing the same password.
- Block weak and breached passwords and add adaptive throttling by source.
Key idea
Password spraying tries one password against many accounts to dodge lockouts, so require multi factor auth and detect shared failure patterns.