As long as we’ve had passwords, people have tried to guess them. In this blog, we’re going to talk about a common attack which has become MUCH more frequent recently and some best practices for defending against it. This attack is commonly calledpassword spray.
In a password spray attack, the bad guys try the most common passwords acrossmanydifferent accounts and services to gain access to any password protected assets they can find. Usually these span many different organizations and identity providers. For example, an attacker will use a commonly available toolkit likeMailsniperto enumerate all of the users in several organizations and then try “P@$$w0rd” and “Password1” against all of those accounts.