article featured image


Automated tools and a huge amount of information available on the dark web make password spraying attacks a rising threat, especially for organizations.

Once they compromise an account, the cybercriminal can exfiltrate sensitive data from your company, engage in lateral movement, or even blackmail you. The consequences of such an incident can range from financial to reputation loss.

This article will explain what password spraying is, how a password spraying attack works, and how you can use cybersecurity technology to prevent it.

What Is Password Spraying?

Password spraying is a type of brute-force attack where a threat actor tries to match a username with a password to gain access to an account. This process is usually done by automated tools and evades modern security software, remaining undetected by using the same passwords on multiple accounts (most accounts will block you if you introduce the wrong password several times).

The attacker uses a list of common or easy-to-guess passwords like “password” or “123456” that can be found on the Internet or was put together by him. This is why organizations with standardized usernames like “firstname.lastname@company.com” are among the favorite victims. Single Sign-On (SSO) is another attractive feature for cybercriminals because if such an account is breached it will grant access to a range of highly important information about a company.

How Password Spraying Works?

Weak password management is what makes password spraying attacks such a successful business. Using an obvious password or reusing credentials for multiple platforms are two of the most common mistakes done by users that become victims of cybercriminals.

Let’s take a look at the most common steps involved in this type of attack:

1 A list of passwords

It all starts with a list of common/possible passwords, like “Password123”. And is not a guessing game, threat actors can buy such a list on the Internet. But this type of lists are also published as curiosities, like the Wikipedia page with “the most common passwords, discovered in various data breaches” or the Top 200 most common passwords.

PS: Take a look at those lists and avoid the passwords you find there.

2 A list of usernames

A stolen list of usernames can be easily found on the dark web, but it can also be created by malicious actors. They can use the patterns that corporate email addresses conform to and a list of employees of a certain company. Online research on the company and social engineering are also involved in creating a possible username.

3 Match them together

The last step is to match the list of passwords with the list of usernames to find a valid combination that will grant the hacker access to a user account.

The matching process is done automatically. The cybercriminals use a tool that tries one password with every user, before doing the same thing with the next password, and the next, and the next until access is granted. This way the hacker avoids being caught by account lockout policies or IP address blockers, which limit failed login attempts.

What Damage a Password Spraying Attack Can Do?

Once a hacker is in one of your company’s accounts there is no way to tell where he will stop.

The main goal of a threat actor is to do as much damage/ steal as much data as possible. So, depending on the level of access that the breached account has, he can exfiltrate personal data and organization information, like business-critical details about intellectual property and other things.

Hackers will use your network vulnerabilities to move laterally in the system in order to gain access to critical infrastructure. A compromised account could be used to obtain an email address list and to spread the attack forward.

The wider the range of permissions that an infected user has, the greater the hit for the organization’s security posture and the bigger the risk for sensitive data.

How to Stay Safe from Password Spraying Attacks?

This type of attack prays mainly on our human nature to make things as easy as possible – see the go-to passwords that all of us have. Consequently, staying safe from them involves a few simple but efficient measures:

  • Use multi-factor authentication (MFA) whenever you can so you would add an extra layer of security to your credentials.
  • Always choose strong passwords. Many platforms warn you if your password is not strong enough and you can even verify the strength of it online.
  • A password management program can be the answer for multiple passwords and users, but be sure you review it regularly and keep it up to date.
  • Eliminate passwords altogether and opt for a passwordless authentication or a biometrical login.
  • Be creative when it comes to your company’s username convention and avoid the usual ones.
  • Your company’s employees are your greatest asset in keeping your systems and data safe, so be sure that they receive proper security training.
  • Zero trust policies will give every employee access only to the necessary data to do his job, so if an account is breached the information that can be exfiltrated is limited.
  • Establish in your company well-documented procedures for password resetting and user blocking that occur quickly, after a low number of successive failed login attempts.
  • A good security posture will spot abnormal activities like a large number of login attempts and will stop the attacker’s lateral movements through your network in the case of a successful attack.
  • Use penetration testing to spot the flaws in your organization’s cybersecurity.

What to Do in Case of a Password Spraying Attack?

If your suspect that your organization has been the victim of a password spraying attack, there are a few things you can do:

  • If you do not have MFA implemented yet, reset all passwords for administrative and privileged domain accounts
  • Increase the sensibility of your security products to failed login attempts across multiple systems.
  • To track any malicious activity in your company’s endpoints and to prevent lateral movement if an attack occurs, use an Endpoint Detection and Response (EDR)
  • In case of any data loss, work with a cybersecurity firm for incident response, forensics, and further investigation.
  • If you detect a spike in login attempts on the SSO portal, this could be a sign of an attack, so monitor your network for such anomalies.

How Can Heimdal® Help?

Heimdal Endpoint Detection and Response is a complex cybersecurity technology designed to protect endpoints and continuously monitor them for anomalies, as well as to respond to mitigate cybersecurity threats.

When threats arise, Heimdal’s EDR provides greater visibility into corporate endpoints and allows for faster response times, stopping an attack at its beginning.

Some of our most crucial modules are included in our EDR service (Threat PreventionPatch and Asset ManagementNext-Gen AntivirusRansomware Encryption ProtectionPrivileged Access ManagementApplication Control), ensuring many, if not all, of the following features: automated detection and remediation, machine learning, threat intelligence, application control, patch and vulnerability management, privileged access management, intelligent alerting and reporting.

Heimdal Official Logo
Antivirus is no longer enough to keep an organization’s systems secure.

Heimdal® DNS Security Solution

Is our next gen proactive DNS-Layer security that stops unknown threats before they reach your endpoints.
  • Machine learning powered scans for all incoming online traffic;
  • Stops data breaches before sensitive info can be exposed to the outside;
  • Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

Wrapping Up…

A solid overall cybersecurity posture and enforcing best practices are always the strongest defense against a variety of attack vectors. So choose wisely the security software for your company and always keep your employees up to date about cybersecurity measures.

You can use The National Institute of Standards and Technology (NIST) password guidelines to pick strong credentials that will keep you safe from password spraying.

If you liked this article, follow us on LinkedInTwitterFacebookYouTube, and Instagram for more cybersecurity news and topics.

Author Profile

Andreea Chebac

Digital Content Creator

Andreea is a digital content creator within Heimdal® with a great belief in the educational power of content. A literature-born cybersecurity enthusiast (through all those SF novels…), she loves to bring her ONG, cultural, and media background to this job.

Leave a Reply

Your email address will not be published. Required fields are marked *

Protect your business by doing more with less

Book a Demo