Password spraying is a type of brute force attack where an attacker uses a single common password against multiple accounts on the same application. The attack involves two steps: first, the attacker acquires a list of usernames, and then attempts logins across all usernames using the same password. The attacker repeats the process with new passwords until the attack breaches the target authentication system to gain account and system access. Password spraying is different from traditional brute force attacks, which try to guess a password for a single account. However, it still follows the mass trial-and-error approach that defines a brute force attack. Password spraying attacks can be found commonly where the application or admin sets a default password for new users.
Password spraying attacks can be incredibly damaging to SSO and federated authentication systems where a single password grants access to multiple assets or accounts. To avoid being a victim of password spraying attacks, it is recommended to enable and properly configure multi-factor authentication (MFA), enforce the use of strong passwords, set account lockout policies after a certain number of failed login attempts, and implement CAPTCHA if lockout is not a viable option. Monitoring for an increase in account lockouts, authentication attempts, or failed logins can also help detect a password spray attack early on.