Password spraying: What it is & how to protect against it


Written by:


The most sophisticated hacking operations often use surprisingly simple methods to gain access to major targets. Bad password hygiene is the most common culprit in a cyber incident.

The practice of password spraying got some much needed attention recently during a Senate hearing about the SolarWinds hack, which compromised the United States Treasury, Commerce, State, Energy, and Homeland Security departments, and a host of well known companies including Intel, Nvidia, Cisco, and VMWare.

Password spraying is a simple and effective exploit that compromises credentials by using well-known or commonly used passwords, e.g. “Password,” “password123,” “qwerty,” or deploys passwords that might be likely in a particular area (e.g., steelers1! in the Pittsburgh area.)

A hacker using password spraying will attempt to log in to several accounts within a network, often thousands at a time, until it finds one that uses this successfully.

Unlike brute force attacks–where a long list of random passwords are tried against a single account and credential stuffing where login/password combinations from previous data breaches are tried to access an account–password spraying takes a shotgun approach.

Password spraying has an advantage over other forms of authentication attacks because it is less likely to trigger security software and firewalls programmed to lock accounts after a set number of failed login attempts. By trying one weak password against several accounts, the attempted hack is more likely to go unnoticed than an attack on a single account or a handful of accounts.


  • Password spraying is predictive, and targets bad password hygiene.
  • Password spraying may have been used in the SolarWinds attacks.
  • Authentication attacks like password spraying and credential stuffing can be rendered ineffective by using strong, unique passwords and enabling multi-factor authentication on accounts.
  • Requiring strong passwords at the administrative level and blocking widely known, easily guessed login/password combinations will help protect against the password spraying approach.

More from MediaFeed:

Like MediaFeed’s content? Be sure to follow us.

The biggest scams in America


The 2017 Better Business Bureau (BBB) Scam Tracker Annual Risk Report is out and there are a few changes that consumers should take note of.

Before we get to the big list, consider this: In 2017, Americans reported more than 47,000 scams to the BBB, and that’s likely only a very small fraction of the scams that actually occur.


SIphotography / Getty


Scammers pose as the Feds, call or email victims and tell them that they’ve won a government grant. All they need to do is provide their checking account information.

2017 Rank: 10

2016 Rank: 11


Olivier Le Moal / Getty


Scammers text or email posing as a friend or relative in trouble. They ask for money to help them out of a jam, and often get it.

2017 Rank: 9

2016 Rank: 9


BrianAJackson / Getty


Interested in a time share? How about one that costs next to nothing? Scammers tease too-good-to-be-true vacation offers, and victims are told they need to act fact or else they’ll lose out. They send the cash and end up taking a vacation from their money.

2017 Rank: 8

2016 Rank: 12


misscherrygolightly / Getty


Scammers pose as employees of computer and software companies and tell victims that their computers are at risk. They offer to protect the machine from viruses or malware, gain access to it, then often hold it hostage or demand money to “fix” it. If you’ve ever gotten one of these calls – and chances are you will if you haven’t already – read this tech support scam explainer.


2017 Rank: 7

2016 Rank: 6


Zinkevych / Getty


Need a new roof? How about windows? These scammer often go door to door, offering great deals on what can be very expensive home repairs. All they need is a deposit. Victims pay it and the repairs never happen. (Worried about home improvement scams? Read this.)

2017 Rank: 6

2016 Rank: 1



Antonio_Diaz / Getty


There are quite a few variations of the old fake check scams. Some scammers are actually able to cash fake checks at banks. Others send “prizes” in the form of fake checks to consumers and all they need in return is some cash to cover the taxes. Beware!

2017 Rank: 5

2016 Rank: 2


AndreyPopov / Getty


If you’re desperate for a loan and come across a lender you’ve never heard of who promises low interest rates, big loan amounts, easy payment terms, and all with no credit check, you could be dealing with a scammer. They might be after your personal information or a sizable “application fee.”

2017 Rank: 4

2016 Rank: 5




People in search of a job are often particularly susceptible to scams. They often fall victim to scammers offering easy ways to make lots of money, all in exchange for a fee.

2017 Rank: 3

2016 Rank: 3


mangpor_2004 / Getty


This one has been around a while too. Scammers claim they’ve got a hot investment opportunity and put the pressure on to fork over money or risk missing out. In one version of this scam, criminals pose a government regulators in order to lure people into investments with “guaranteed” returns.

2017 Rank: 2

2016 Rank: 6


William_Potter / Getty


This scam happens to buyers and sellers alike. Sometimes people buy something online and never get the item, or get something very different from what they expected. Other times, a seller on a site like eBay receives a check and sends the item to the buyer, only to discover that the check was a fake. (Worried you could fall victim to online shopping scams? Read this.)

2017 Rank: 1

2016 Rank: 4

Learn more about 20 different types of identity theft and fraud.

This article originally appeared on Experian News and was syndicated by


Rasulovs / Getty


Featured Image Credit: nndemidchick / istockphoto.