They still work because most enterprises run hybrid estates. Legacy apps, service accounts, VPNs, and fallback authentication paths continue to accept passwords, and many organisations have not fully removed weak or reused credentials. Attackers only need one valid login, so incomplete coverage is enough for them to succeed.
Why This Matters for Security Teams
Password spray still works because identity environments rarely look as clean as the diagrams. Even when MFA is deployed, attackers target the weakest accepted path: legacy SSO, VPN, IMAP/POP, service account logins, break-glass accounts, and applications that still rely on passwords. NHI Management Group’s Ultimate Guide to NHIs shows how often credentials remain exposed or unmanaged, and the same pattern applies to human authentication when coverage is incomplete.
Current guidance from CISA cyber threat advisories consistently treats credential abuse as an opportunistic, low-cost attack path: adversaries do not need to break cryptography if they can repeatedly test large password sets against accounts that still accept passwords. The problem is not that modern controls fail universally. The problem is that they fail unevenly, and one surviving path is enough.
That is why password spray remains a tier-one access risk in hybrid estates. In practice, many security teams encounter account takeovers only after the attacker has already found the one forgotten authentication path that still accepts weak or reused credentials.
How It Works in Practice
Password spray is effective because it is designed to avoid lockouts and detection while taking advantage of broad credential reuse. Attackers try one or a few common passwords across many accounts, often with low request volume and distributed infrastructure. They are not guessing randomly. They are testing for the small subset of users whose credentials are weak, reused, or exposed elsewhere.
The real-world failure mode is environment fragmentation. A tenant may enforce strong MFA for most users, but a mailbox protocol, a remote access gateway, or a business-critical legacy application still accepts password-only authentication. Once one account is found, the attacker can often pivot into session hijacking, OAuth token theft, or internal reconnaissance. NHI Management Group’s 52 NHI Breaches Analysis shows the same operational lesson on the non-human side: partial coverage creates a durable attack surface.
Defenders need layered controls rather than a single “MFA enabled” claim. Practical measures include:
- Disabling password authentication wherever protocol support allows it.
- Enforcing phishing-resistant MFA for all interactive access, especially privileged users.
- Blocking legacy authentication paths and service endpoints that bypass modern controls.
- Monitoring for spray patterns such as many usernames, few passwords, and geographically distributed sign-ins.
- Using conditional access and risk-based prompts to challenge anomalous logins in real time.
From a standards perspective, MITRE ATLAS adversarial AI threat matrix is useful for understanding how adversaries operationalize automation, while identity guidance from CISA cyber threat advisories reinforces the need to remove or harden any fallback path that still accepts passwords. These controls tend to break down in large hybrid environments where older applications cannot be modernized quickly and exceptions accumulate faster than policy enforcement.
Common Variations and Edge Cases
Tighter authentication controls often increase user friction and operational overhead, so organisations have to balance lockout resistance, accessibility, and legacy compatibility against exposure reduction. That tradeoff is why password spray is still seen in mature environments: some systems are intentionally left outside the strongest controls because business continuity depends on them.
There is no universal standard for every edge case, but current guidance suggests prioritising the highest-risk paths first: privileged accounts, externally reachable services, and any protocol that still permits basic authentication. Shared accounts, emergency access accounts, and service accounts deserve special treatment because they often bypass normal user lifecycle checks. NHI Management Group’s Ultimate Guide to NHIs — Key Challenges and Risks is relevant here because the same visibility and rotation failures that hurt NHI governance also weaken identity defence broadly.
Best practice is evolving toward continuous detection plus systematic removal of fallback paths, not just stronger password policy. That means treating legacy authentication as a temporary exception, not a permanent design feature, and documenting every exception with an owner, expiry date, and compensating control. The edge case that most often defeats this approach is a business-critical legacy application that cannot support modern auth but remains internet-facing or broadly reachable inside the network.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-01 | Addresses identity proofing and authentication path hardening against password spray. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Identity sprawl and weak credential handling drive spray success across hybrid estates. |
| NIST SP 800-63 | AAL2 | Phishing-resistant, multi-factor authentication reduces the value of sprayed passwords. |
Inventory every account and disable any authentication path that still accepts reusable passwords.
