A Password Spraying Attack is a type of brute force attack where a malicious actor attempts the same password on many accounts before moving on to another one and repeating the process. This is effective because many users use simple, predictable passwords, such as “password123.”
A common practice among many companies is to lock a user out after a number of failed log in attempts (usually 3-5 attempts) in a short of time. Becuase of the nature of a password spraying attack, a bad actor is able to avoid being detected and locked out of an account, which is a common problem with regular brute force attacks.
“I was asked to change my password when my bank fell victim to a password spraying attack. It turns out some hacker managed to try millions of username and password combinations against the bank’s users – and I was one of them.”