Per-user lockout helps brute force but not spraying, because each user sees only one or two failures per wave.
-
Solutions
By Challenge
-
High CPC niches
Stop paying premium prices for fake clicks.
-
Declining Performance
Clean your data so the algorithm works again.
-
Junk Leads
Keep bots out of your CRM and pipeline.
-
Competitors Clicking
Block competitors from draining your budget.
By Role
-
Small Businesses
How ClickPatrol can help your business.
-
Agencies
How ClickPatrol can help your agency.
-
Brands
How ClickPatrol can help your brand.
-
-
About ClickPatrol™
-
About ClickPatrol™
Who are we and read about our mission.
-
Affiliate Program
Sign-up for our affiliate program, we love to partner up with you.
-
Request Demo
Fill in this form to receive a demo and more information.
-
-
Resources
-
FAQ
Everything you need to know & answers to all the common questions.
-
Case Studies
See why agencies and business owners use ClickPatrol to protect their ads.
-
Customer Reviews
Customer Reviews and Success Stories of the ClickPatrol community.
-
Tools
Tools published by ClickPatrol & Friends.
-
Blog
Read articles and guides by our expert content team.
-
- Pricing
- Sign in
- Start My Free 7-Day Trial
What is Password Spraying?
Password spraying is a password-guessing tactic where the attacker tries one or a few common passwords against many accounts. They stay under per-account lockout thresholds by not hammering the same username repeatedly. It is a horizontal attack: one weak password, thousands of users.
Table of Contents
How spraying differs from other attacks
Classic brute force throws many passwords at one account. Credential stuffing reuses leaked pairs from other sites. Spraying picks likely passwords (“SeasonYear”, company name plus digit, default onboarding passwords) and walks the user list once per password, often slowly and from many IPs.
Cloud identity (email, SSO, remote access) is a frequent target because one success yields mailboxes, file shares, and downstream SaaS resets.
Execution pattern
Attackers harvest usernames from directories, prior leaks, or predictable formats. They run automated login attempts with pauses and distributed infrastructure so alarms stay quiet. After hours or days they rotate to the next password in a short list.
Why operations and marketing security teams care
A single compromised mailbox can authorize fraudulent payments, reset ad accounts, or exfiltrate CRM exports. That can increase ad fraud risk through changed billing contacts or malicious tracking. MFA and modern auth policies block most spray successes, but legacy protocols and shared mailboxes still slip through.
Monitoring should correlate many light failures across users. Pair identity hardening with awareness of remote access abuse paths described in VPN and perimeter guides, and with bot-driven login noise. Small businesses are common victims because spray tools scan the whole internet. Brands should inventory which SaaS apps allow legacy IMAP or SMTP logins and disable them where possible.
For related reading on volume attacks, see how to stop bot attacks and tools that centralize auth logging.
Frequently Asked Questions
-
Does account lockout stop spraying?
-
What passwords do attackers try first?
Seasonal phrases, keyboard walks, and the organization’s name plus digits appear near the top of spray lists.
-
Best single control?
Phishing-resistant MFA on all human and shared accounts, plus blocking legacy authentication where your provider supports it.
- Chamber of Commerce: 71448519
- VAT: NL858719423B01
-
- Get Started
- Plans & Pricing
- Start Your Free Trial
- Book a Demo
- Sign in
-
- Partners
- Become Affiliate
- For Agencies
- For Brands
Trusted by 4,100+ websites worldwide
