Subscribe to the Non-Human & AI Identity Journal

What do security teams get wrong about password spraying?

They treat it as an authentication nuisance instead of an identity reconnaissance method. Spraying tests where controls are weak, which accounts lack strong protection, and whether fallback paths can be abused. The real failure is not just weak passwords, but weak segmentation between accounts, systems, and trust boundaries.

Why Security Teams Misread Password Spraying

password spraying is often dismissed as a volume-based login problem, but that framing misses the point. It is a reconnaissance technique that maps authentication weak spots, fallback paths, and inconsistent policy enforcement across an estate. Security teams that only count failed logins or blocklists tend to miss the broader signal: which identities are protected by MFA, which legacy paths still accept weak factors, and where conditional access is not actually consistent.

This matters because spraying is rarely isolated to one account type. The same pattern can expose human users, service accounts, and connected workloads when identity controls are fragmented. NHI Management Group notes that only 5.7% of organisations have full visibility into their service accounts in the Ultimate Guide to NHIs, which is a good indicator of how much identity surface remains unseen. The real risk is not the spray itself, but the intelligence it gives an attacker about where trust boundaries are weakest. In practice, many security teams discover this only after one weak path is used to pivot into stronger ones.

How Password Spraying Works in Practice

Attackers use a small set of common passwords across many accounts, deliberately staying below lockout thresholds and spreading attempts over time or geography. That makes spraying effective against environments where authentication controls are uneven. A mature response starts with understanding authentication as an identity system, not a login screen. The NIST Cybersecurity Framework 2.0 treats identity and access as part of broader governance, protection, and detection outcomes, which is the right lens here.

Security teams should correlate three signals:

  • Distributed failed logins against many accounts from a small password set
  • Unusual access to legacy protocols, fallback auth, or rarely used tenants
  • Success after prior low-and-slow probing, especially from cloud-hosted infrastructure

That detection logic should be paired with enforcement: MFA everywhere it is supported, removal of legacy authentication where possible, rate limiting that is account-aware as well as source-aware, and segmentation so one compromised identity cannot trivially reach others. The NHI Management Group research on the State of Non-Human Identity Security shows how often visibility gaps, over-privilege, and poor credential hygiene create the conditions attackers need. Those same conditions make spraying more valuable because the attacker is learning where credentials are accepted, where they are not, and which identities are worth following up on. These controls tend to break down in hybrid estates where older auth stacks, partner access, and machine identities still authenticate outside modern policy engines.

Where the Standard Advice Breaks Down

Tighter login controls often increase operational friction, requiring organisations to balance brute-force resistance against support load and user disruption. That tradeoff becomes especially sharp in environments with contractors, partner portals, service accounts, and regional exceptions. Current guidance suggests treating these exceptions as high-risk design choices, not as harmless edge cases.

One common mistake is assuming MFA alone solves spraying. It helps, but attackers often target accounts with weaker recovery paths, exempted apps, or dormant identities that have not been fully offboarded. Another mistake is focusing only on humans while leaving machine identities, admin portals, and API-backed workflows outside the same policy tier. The broad lesson from the Ultimate Guide to NHIs is that identity sprawl, not just password quality, is what creates exploitable gaps.

There is no universal standard for perfect spray detection yet. Best practice is evolving toward adaptive thresholds, risk-based challenge flows, and continuous review of accounts that can still authenticate with older methods. Where this guidance often fails is in environments that keep legacy auth alive for business continuity, because attackers only need one weak path to make the whole estate look soft.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10, OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-03 Spraying often exploits weak secret lifecycle and recovery paths.
OWASP Agentic AI Top 10 A2 Credential abuse patterns mirror access-bypass risks in autonomous workloads.
CSA MAESTRO IAM-02 Maestro addresses identity control gaps across autonomous and connected systems.
NIST CSF 2.0 PR.AC-1 Password spraying is fundamentally an access-control weakness.
NIST AI RMF GOVERN Identity reconnaissance against AI-enabled systems needs governance and accountability.

Rotate exposed credentials quickly and remove reusable secrets from fallback authentication paths.