Notifications
Clear all
Topic starter
24/06/2026 7:28 pm
TL;DR: Microsoft’s latest Digital Defense Report says 97% of identity attacks are password spray attacks, underscoring how often attackers still win by logging in rather than breaking in, according to Netwrix’s analysis of the report. The practical lesson is that passwordless ambitions do not remove the need to harden today’s authentication paths and block weak, reused, and compromised credentials.
NHIMG editorial — based on content published by Netwrix: Password spraying: 97% of attacks don’t hack, they just log in
By the numbers:
Questions worth separating out
Q: How should security teams stop password spraying without waiting for full passwordless adoption?
A: Start by blocking compromised and reused passwords at creation and reset time, then tighten rate-limiting and login monitoring across every password-accepting system.
Q: Why do password spray attacks still work in modern identity environments?
A: They still work because most enterprises run hybrid estates.
Q: What do security teams get wrong about passwordless programmes?
A: They often treat passwordless as proof that the password problem is solved.
Practitioner guidance
- Block compromised and reused passwords at set time Enforce screening against known-bad password lists when users create or reset credentials, and reject passwords that have already been exposed or heavily reused.
- Map every password-accepting access path Identify where the environment still accepts passwords, including legacy apps, VPNs, service accounts, and fallback admin channels.
- Tune detection for distributed login abuse Look for low-and-slow patterns across many accounts, not just repeated failures on one account.
What's in the full article
Netwrix's full blog covers the operational detail this post intentionally leaves for the source:
- The exact Active Directory and Entra ID enforcement flow for blocking compromised passwords at change time.
- The product-level policy logic for checking new passwords against known breach data before they are accepted.
- The implementation details for hybrid environments that still depend on legacy password-based access.
- The source article's guidance on aligning password policy with a longer-term passwordless transition.
👉 Read Netwrix’s analysis of password spraying and password policy enforcement →
Password spraying: are your identity controls stopping logins?
Explore further
25/06/2026 4:46 am
Weak credentials are still the path of least resistance because identity programmes have not fully closed the password gap. Password spraying succeeds when organisations leave large parts of the estate on reusable secrets while planning a future passwordless state. The field-level mistake is treating identity modernisation as a roadmap item instead of a present-tense attack surface. Practitioners should treat credential exposure and reuse as an active control problem, not a legacy nuisance.
A few things that frame the scale:
- 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to The 2026 Infrastructure Identity Survey.
- In the same survey, only 44% of organisations have implemented any policies to manage their AI agents, even though 92% agree that governing AI agents is critical to enterprise security.
A question worth separating out:
Q: Who is accountable when password spraying succeeds through a weak credential path?
A: Accountability sits with the identity, security, and application owners who allowed a reusable credential path to remain exposed. The relevant control question is whether the organisation had visibility into where passwords still existed, whether weak-password blocking was enforced, and whether access governance covered non-human identities as well as users.
👉 Read our full editorial: Password spraying shows why login hardening still matters in IAM
