prevent a password spraying attack scaled

6 Ways To Prevent A Password Spraying Attack In Companies

Reading Time: 4 minutes

Last Updated on August 17, 2021 by Calvin C.

In one article I covered, there is a shocking list of weak passwords used by a lot of people. This kind of practice makes it easy for hackers to gain unauthorized access into user accounts. One of the tactics that exploits this vulnerability is the use of a password spraying attack. In this article, we look at 6 ways companies can prevent a password spraying attack.

By definition, a password spraying attack is a variant of brute-force attack where a hacker tries the same password on many accounts before moving to the next password and repeating the process.

Instead of trying different passwords on one account, the hacker ‘sprays’ the same password on many account.

This means the account lock-out feature, to limit the number of login attempts, is greatly weakened as many accounts are targeted in a very short space of time instead of one.

If a privileged account is compromised, e.g. Administrator’s account, the attacker can cause serious damage to the affected system and set up backdoors that are hard to detect.

That is why it is very important to implement the measures I will outline below.

prevent password spraying attack

Who is at risk of a password spraying attack?

Vulnerable environments include those that use:

  • Default passwords
  • Weak passwords
  • Previously breached passwords

Unlike a brute-force attack that tries many passwords on one account; a password spray attack spreads the attack over many accounts.

How to protect your company

Password spraying attacks are only part of a wider range of methods used by malicious actors to mount a cyberattack.

A good cyber hygiene is always the best way to protect your organization or system from such attacks.

1. Multi-factor authentication (MFA)

MFA adds an extra layer of security by protecting an account with a code, in addition to the usual password.

For every login attempt, you have to enter a code that is sent to your phone or email.

An even more secure form of MFA is to use app-based 2-FA like Google Authenticator.

SMS-based 2-FA is no-longer safe as hackers can easily use sim card fraud to intercept the code.

If you are not using MFA, you are at a higher risk of being a target.

2. Password hygiene

Weak passwords are easily cracked by a password spray attack.

According to data from Data Breach Investigation Report for 2017, 81% of hacking-related breaches leveraged either stolen or weak passwords.

A company must make sure employees use complex passwords that are difficult to guess.

For example, the system must automatically reject any password without caps, special characters, numbers, or one which is too short.

Fortunately, nowadays there are password managers that automatically generate strong secure passwords.

An example of a password manager that I use is NordPass password manager.

This tool can also identify any weak passwords that you are currently using. You can can read about all the features of NordPass and try it for free.

3. Effective account lock-out policy

Every account should limit the number of login attempts.

This protects the account from brute-force attacks while not having any significant effect against password spraying attacks.

By limiting the number of password attempts, an organization doesn’t suffer non-stop brute-force attacks or its variants.

4. Breached password protection

An organization must put in place a system that scans all passwords on a continuous basis and it should remove any previously breached passwords.

In addition, the system must remember and block reuse of old passwords to minimize  the chances of a successful attack.

According to a joint online security survey carried out by Google and Harris Poll, 52% reuse the same password for multiple, but not all accounts.

5. Change password expiry policies

Forcing employees to change their passwords frequently, as part of a password expiration policy, can come back to haunt you.

In the end, employees are more likely to make slight changes to the old password or even choose a weaker password.

In the Security Baseline for Windows 10 v1903 and Windows Server v1903, Microsoft says, “If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.”

6. Drop use of password hints

This one is obvious. If an attacker gets a password hint, it’s easier to narrow down the number of passwords that can successfully unlock an account.

With a bit of social engineering, an attacker can create a closely matching password and “walk through the front door.”

How to detect a password spraying attack

One way to detect that a password spraying attack has taken place is a spike in the number of account lockouts.

If MFA is enabled, you may see an increase in the number of authentication requests within a short space of time.

On examination of the origin of an attack, you may find that one IP address or one device has generated all the traffic.


Companies need to be vigilant in making sure security policies are implemented by employees at all times.

Even if workers are not on the job site, password hygiene protocols need to be observed.

Working remotely is now a normal practice hackers are always on the lookout for vulnerable accounts to attack and compromise.

A good VPN helps to establish a secure connection to the company network over the internet.

Top 3 VPNs that you can test risk-free are as follows:

logotype horizontal
  • Overall BEST VPN
  • Save 68% for a 2-year plan
  • Unblocks Netflix
  • Adblock & antimalware
  • Low cost & reliable
  • Save 83% for a 2-year plan
  • Unblocks Netflix
  • No logs policy
CyberGhost Logo Header e1613506333763
  • Wide server coverage
  • Save 83% for a 3-year plan
  • 45-day money back guarantee
  • Unblocks Netflix

How safe are your accounts? Are you using a password manager to generate password managers? Leave a comment below and share the article with your friends on social media.

Tech writer and VPN expert. DIY enthusiast and loves anything to do with space science.

Leave a Reply

Your email address will not be published. Required fields are marked *