Password spraying shows why login hardening still matters in IAM

At a glance

What this is: Password spraying remains a dominant identity attack pattern because attackers exploit weak and reused credentials instead of attempting noisy compromise methods.

Why it matters: It matters because IAM teams still have to defend the current authentication estate, including human users and service accounts, while longer-term passwordless programmes mature.

By the numbers:

• 97% of identity attacks were password spray attacks.

👉 Read Netwrix’s analysis of password spraying and password policy enforcement

Context

Password spraying is a low-and-slow login attack in which adversaries try common passwords across many accounts while staying under lockout thresholds. In identity security terms, it exploits the gap between passwordless end-states and the reality of mixed estates where passwords, legacy apps, VPNs, and service accounts still exist.

For IAM and NHI programmes, the issue is not abstract. The control gap is that organisations often plan for future authentication maturity while leaving today’s credential surface exposed. That creates an easy path for attackers who need one successful login, not a breakthrough exploit.

Key questions

Q: How should security teams stop password spraying without waiting for full passwordless adoption?

A: Start by blocking compromised and reused passwords at creation and reset time, then tighten rate-limiting and login monitoring across every password-accepting system. The goal is not to wait for a perfect future state. It is to remove the easiest credentials to guess and reduce the attack surface that spray campaigns depend on.

Q: Why do password spray attacks still work in modern identity environments?

A: They still work because most enterprises run hybrid estates. Legacy apps, service accounts, VPNs, and fallback authentication paths continue to accept passwords, and many organisations have not fully removed weak or reused credentials. Attackers only need one valid login, so incomplete coverage is enough for them to succeed.

Q: What do security teams get wrong about passwordless programmes?

A: They often treat passwordless as proof that the password problem is solved. In practice, passwordless only lowers risk where it is actually enforced. If legacy apps, admin channels, or machine identities still use passwords, the spray problem remains and must be governed as an active control gap.

Q: Who is accountable when password spraying succeeds through a weak credential path?

A: Accountability sits with the identity, security, and application owners who allowed a reusable credential path to remain exposed. The relevant control question is whether the organisation had visibility into where passwords still existed, whether weak-password blocking was enforced, and whether access governance covered non-human identities as well as users.

Technical breakdown

How password spraying stays below lockout thresholds

Password spraying works by distributing a small number of guesses across many accounts instead of hammering one account until it locks. That keeps the attack quiet, avoids common detection thresholds, and gives attackers time to find one weak credential. It is effective precisely because many environments still tolerate reused passwords, stale accounts, and inconsistent lockout policy across directories and SaaS apps. The attack is operationally simple, but its success depends on identity sprawl and weak credential hygiene.

Practical implication: centralise failed-login monitoring and tune lockout and rate-limiting controls to detect distributed credential abuse, not just single-account brute force.

Why passwordless adoption does not remove the current attack surface

Passwordless reduces reliance on shared human secrets, but most enterprises still operate hybrid identity estates. Legacy applications, administrative interfaces, VPN dependencies, and service accounts continue to accept passwords or other reusable secrets. That means password spraying remains relevant until the organisation actually removes or fences off the old authentication paths. The risk is not that passwordless is ineffective. The risk is assuming the transition is complete when large parts of the estate still accept password-based access.

Practical implication: inventory every password-accepting path, then prioritise the highest-risk ones for stronger policy, phishing-resistant auth, or removal.

How compromised-password blocking changes the attack economics

Compromised-password screening shifts defence left from detection to prevention. Instead of waiting for a weak password to be used in an attack, the identity system rejects it at creation or change time. That materially reduces the pool of credentials available to spray campaigns and raises attacker cost. The mechanism is especially valuable in hybrid environments because it addresses the source of reuse and credential recycling rather than depending entirely on after-the-fact alerts. It does not solve all identity risk, but it removes a common failure condition that spray attackers repeatedly exploit.

Practical implication: enforce compromised-password checks at password set and reset events, and treat exceptions as risk decisions rather than convenience defaults.

Threat narrative

Attacker objective: The attacker wants one valid login that can be turned into persistent access, privilege expansion, and downstream lateral movement.

1. Entry occurs when attackers test common passwords across many accounts while remaining under lockout thresholds, often using automated but low-volume login attempts.
2. Escalation follows a successful login on a weak or reused account, after which attackers pivot to persistence, privilege escalation, and living-off-the-land activity.
3. Impact comes from the attacker converting one quiet login into broader access, lateral movement, and eventual compromise of sensitive systems or data.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Weak credentials are still the path of least resistance because identity programmes have not fully closed the password gap. Password spraying succeeds when organisations leave large parts of the estate on reusable secrets while planning a future passwordless state. The field-level mistake is treating identity modernisation as a roadmap item instead of a present-tense attack surface. Practitioners should treat credential exposure and reuse as an active control problem, not a legacy nuisance.

Passwordless strategy does not eliminate password-spray risk until the last password-accepting path is removed or hardened. Legacy applications, service accounts, VPNs, and administrative fallbacks keep the old attack model alive even when frontline users adopt phishing-resistant auth. That means the real governance question is coverage, not aspiration. Security teams need to know where passwords still exist and how much blast radius those paths carry.

Compromised-password screening is a governance control, not a convenience feature. The important point is not that weak passwords are bad in theory, but that blocking them at creation time reduces the attacker’s usable credential pool before spraying begins. In NIST CSF terms, this sits squarely in protection and identity governance. Practitioners should make rejected-password events part of their risk reporting, because they show where the organisation is still vulnerable.

Standing secrets remain the silent enabler behind many login-based attacks. Password spraying is rarely about one user alone. It becomes more dangerous when service accounts, shared admin credentials, and legacy access paths are not governed with the same discipline as human identities. The implication is simple: identity policy has to cover the entire credential estate, not just interactive users.

Login attacks exploit the difference between authentication strength and access governance. A successful login does not tell you whether the account should have had that access, whether the credential should still exist, or whether the account is overprivileged. That is why identity governance, password policy, and privileged access controls have to work together. Practitioners should use spray resistance as a test of programme maturity, not just password policy quality.

From our research:

• 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to The 2026 Infrastructure Identity Survey.
• In the same survey, only 44% of organisations have implemented any policies to manage their AI agents, even though 92% agree that governing AI agents is critical to enterprise security.
• For teams moving from password hygiene to broader identity governance, Ultimate Guide to NHIs , Static vs Dynamic Secrets shows why standing secrets keep creating avoidable attack paths.

What this signals

Static credential dependence is becoming a structural identity risk, not a temporary transition issue. With 67% of organisations still relying heavily on static credentials, password spraying is only one expression of a broader governance problem: reusable secrets remain embedded in the operating model. That means remediation has to reach beyond interactive users and into service accounts, automation, and fallback access paths.

The control objective is shifting from login detection to credential elimination and containment. Organisations that keep passwords alive across legacy and non-human systems will keep handing attackers a simple entry path. The programme signal is clear: inventory what still authenticates with reusable secrets, then link each path to a clear owner, control standard, and retirement plan.

Password spraying is a reminder that identity modernisation is only as strong as the oldest surviving authentication path. Teams that have not yet closed that gap should use the issue to accelerate review of password-accepting systems, especially where privileged or machine access is still password-backed. For background on where static secrets create lasting exposure, see Ultimate Guide to NHIs , Static vs Dynamic Secrets.

For practitioners

• Block compromised and reused passwords at set time Enforce screening against known-bad password lists when users create or reset credentials, and reject passwords that have already been exposed or heavily reused. This closes a major source of spray success before attackers can exploit it.
• Map every password-accepting access path Identify where the environment still accepts passwords, including legacy apps, VPNs, service accounts, and fallback admin channels. Prioritise those paths by blast radius so the weakest authentication surfaces are addressed first.
• Tune detection for distributed login abuse Look for low-and-slow patterns across many accounts, not just repeated failures on one account. Correlate source IPs, user agents, and timing so distributed spray activity is visible before a valid login succeeds.
• Reduce standing access on non-human accounts Review service accounts and other non-human identities for passwords that are long-lived, shared, or broadly reusable. Where possible, replace them with stronger workload identity patterns and tighter entitlement scoping.

Key takeaways

• Password spraying remains effective because many environments still permit reused or weak credentials across a mixed identity estate.
• Microsoft’s finding that 97% of identity attacks were password spray attacks shows how much adversary success still depends on login weaknesses.
• Blocking compromised passwords, mapping password-accepting paths, and reducing standing secrets are the controls that change the attacker’s odds.

Key terms

• Password Spraying: Password spraying is a login attack in which an adversary tries a small number of common passwords across many accounts to avoid lockouts. It succeeds when identity controls allow weak, reused, or unmonitored credentials to remain active across a mixed environment.
• Compromised Password Screening: Compromised password screening is the practice of rejecting passwords that already appear in breach corpora or known-bad lists. It reduces the pool of credentials attackers can guess, and it works best when enforced at password creation and reset, not only during incident response.
• Standing Secret: A standing secret is a reusable credential that remains valid over time instead of being issued only when needed. In identity programmes, standing secrets increase attack surface because they can be discovered, reused, sprayed, or abused long after their original business need has changed.
• Hybrid Identity Estate: A hybrid identity estate is an environment where cloud identity, on-premises directories, legacy applications, and machine access paths all coexist. This matters because password spraying exploits the weakest remaining authentication path, not the most modern one.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Netwrix: Password spraying: 97% of attacks don’t hack, they just log in. Read the original.