What is "Password Spraying"

Simply it's method to hack accounts in bulk undetected … Let's demystify this approach.

Spray bottle containing passwords
Published 8/17/2019
Leave a comment

What is Password Spraying....

There are several moving parts to Password Spraying, at its core it's designed to work around accounts being locked and to try and work under the radar. let's have a look at this technique and try and understand how it works and ways to beat it.

There are a few moving parts to how this works so let's get to it.


Most systems you use online will require a username and a password, and typically if you enter the wrong password 3 times your then locked out for a period of time. And when your account keeps getting locked you start to notice very quickly.

The timeout is designed to slow things down, so a brute force attack will take much longer.

Data Leaks and System Compromises

The number of times account details are leaked is shocking, it happens in all sorts of ways what matters here is that all of a sudden the hacker has access to a big list of real accounts. 

Here were not to interested in the password, that's a different thing.. and your totally at the mercy of how the password is stored. 

Common Passwords

The number of people that use the same password is shocking, It's a generalisation but thinking up passwords is HARD So the same ones tend to float to the surface like “password” (really

If the system in question needs a number … you can bet there will be a 1 on the end. a capital - It's nearly always the first letter. Some people use substitutions, let's go for S3cur3  … $ for s, 3 for e, 0 for O, 1 for i .. Hackers know them as well.

If the attacker used Brute Force, all these variants are worked out automatically ahead of time, e.g. “password”, “Password”, “Pa$sword”, “pa$$word” etc. I've seen this attack used within a company.. in less than a minute about ⅓rd of the passwords were exposed including the domain admins.

Need a spray gun

Ok, they might not actually use a spray gun. But it works something like this:

There is no hurry in this, it's designed to be slow, so each account might only get hit every few hours but that avoids accounts being locked.

Is it serious?

So how do you protect yourself?

Really you need a password manager, such as lastpass; which gives you passwords way down on the common password list.

Why have separate passwords? - A Digression

Its actually a simple but effective protection method - if your password gets found out from one site and it's only used on that site you are semi protected. 

A good practice to to check to see if you have been pwned. That's a list of accounts that have been exposed from websites; at the time of writing 348 of them, with over 7 and half billion accounts - ouch.

And if an account does get compromised - you know who's, and it's much less likely to spread to all your online accounts.


Leave a comment

Your email address will not be published, comments will be reviewed for content before being published.