What Is Password Spraying?

Picture of Mandy Wilson

Mandy Wilson

Mandy is a Director and Content Manager at Cree Digital

Password spraying
Table of Contents

What is password spraying and could you be vulnerable to attack?

Are you guilty of using the same password on several different systems?

Research suggests that 50% of us use the same password over and over again. Not sensible. But it’s easy to see why this happens. Over a lifetime, most of us will have to come up with hundreds of passwords. It would be impossible to remember them all, leading to password creations which are:

  1. Easy to remember, easy to attack
  2. Reused over many different system
  3. Never changed or updated

Sadly, the number of cyber attacks via compromised passwords has increased significantly over the last 10 years.  There’s no sign of any let up.  Increasingly sophisticated software is being developed to crack your password and wreak havoc in as many different ways as it can.

Password Spraying or Brute Force attack?

Brute force attacks are well understood. They work by targeting a small number of accounts with a huge number of password guesses. This is a VERY good reason to choose a long password; the number of combinations of random password guesses will be far greater and harder to crack.

Password spraying works from the opposing direction. It  targets vast numbers of accounts with the more commonly used passwords.

According to Nordpass, the Top 10 list of global common passwords looks like this:

1. 123456
2. 123456789
3. 12345
4. qwerty
5. password
6. 12345678
7. 111111
8. 123123
9. 1234567890
10. 123456​​

We are making life far to easy for password guessing software.  Because many of us choose towns, football clubs, favourite bands, birthdates and easy to guess phrases, we leave ourselves open to attacks.

So, why not task yourself to perform a  password review as a matter of urgency? You could think about investing in a carefully chosen Password Manager which will store each of your passwords in an encrypted vault. Don’t forget the one  password you need to unlock it!

You may want to consider Multi Factor Authentication. It would be unheard of for financial institutions  to allow access to banking without their customers jumping through several security hoops first. The same goes for any sensitive online data, such as the personal and confidential information held in your health records. Combining passwords with a second level of authentication such as a ‘one time password’, or the need to use an authenticator app or even biometrics (fingerprint or face recognition) will significantly decrease the risks of password breach.

3 simple tips to make a strong and secure password:

  1. Make it long! Longer is always stronger. 8 characters as an absolute minimum.
  2. Use complex combinations of uppercase, lowercase, numbers and special characters
  3. If you are a company, be sure to re-enforce security awareness for all employees with regular training and a well documented procedure for password reset or lockouts.
Scroll to Top