Skip to main content
Support
BeginnerT1110.003

Password Spraying & Brute Force

Instead of trying many passwords against one account (and getting locked out), attackers try one password against every account in the domain -- and statistically, someone always uses "Summer2025!".

Most organizations have a password policy that locks accounts after a certain number of wrong guesses (like 5 attempts in 30 minutes). Traditional brute force attacks -- trying many passwords against one account -- trigger this lockout quickly. Password spraying flips the approach: the attacker tries one password against many accounts. If the lockout threshold is 5 attempts per 30 minutes, the attacker waits 31 minutes between each spray round. With 10,000 employees and common passwords like "Spring2025!", statistically about 1-3% of accounts will use a guessable password. That means 100-300 accounts compromised in a single spray campaign. Detection is difficult because each individual account only sees one failed login.

Imagine a hallway with 1,000 doors. If you try 100 different keys on one door, the alarm goes off. But if you try just one key on all 1,000 doors, nobody notices -- and chances are, at least one door opens. That is password spraying. The attacker picks one commonly used password (like "Company2025!" or "Welcome1") and tries it against every account in the domain. With thousands of employees, the odds are in the attacker's favor. Account lockout policies only trigger after multiple failed attempts on the same account, so spraying one password at a time stays under the radar.

Try It Yourself

Key Takeaways

  1. Password spraying tries one password against many accounts to avoid lockout.
  2. With thousands of accounts, even a 1% success rate yields dozens of compromised credentials.
  3. Kerberos-based spraying (port 88) is stealthier than NTLM-based (port 445).
  4. Fine-Grained Password Policies and breach database checking are the best defenses.
  5. Honeypot accounts that trigger alerts on any authentication attempt provide early detection.
Why Should I Care?

Password spraying is one of the most common initial access techniques because it works against any organization with employees who choose weak passwords -- which is virtually all of them.

Defense Recommendations

Combine strong password policies with monitoring and deception to detect and prevent spraying.

  1. 1Implement breach database checking (Azure AD Password Protection or similar) to block known compromised passwords.
  2. 2Deploy honeypot/honeytoken accounts that alert on any authentication attempt.
  3. 3Monitor for distributed single-failure patterns: many accounts with one failure each in a short window.
  4. 4Enforce MFA for all remote access and privileged accounts.
  5. 5Use Fine-Grained Password Policies to apply stricter rules to sensitive accounts.

Related Topics

AD Enumeration Without Admin RightsAuthentication ProtocolsConditional Access Policies
Sources
SPN Scanning & Service Discovery
NTLM Relay Attacks
SourceSudo

Content sourced from Microsoft Documentation, MITRE ATT&CK Framework, NIST SP 800-63/171, adsecurity.org (Sean Metcalf), SpecterOps research, and SANS Reading Room. For educational purposes only.

MITRE ATT&CKADSecurity.org