Password Spraying Attacks


Have you heard of a password brute-force attack? A brute-force attack is when attackers try to hack into a single account by guessing its password.

Let’s say an attacker is trying to hack the account of the user “Vickie”. The attacker will first generate a password list to use. She can either use a dictionary of common passwords she found online, or a list of likely passwords generated based on her knowledge of the user. Then, the attacker uses a script to rapidly fire off login attempts to the service. She tries to log into the service with the username “Vickie” and different passwords until she finds the correct one.

But modern applications are getting smarter. The majority of web applications now implement account lockout policies. If the application detects that an account has had a few failed login attempts in a short timeframe, the application will block the account from further logins. The application will often also notify the user of the failed login attempts or alert the system admins.

This means that traditional brute-force attacks are no longer feasible for a majority of applications. To avoid account lockouts, attackers will have to space out their password guesses. This makes brute-forcing too time-consuming. That’s why attackers are utilizing an attack called “password spraying” as an alternative to brute-forcing.

What is password spraying?

During a password spraying attack, the attacker attempts to access a large number of accounts with a small list of commonly used passwords. She will first try to login to all the usernames with the first common password before trying the second common password across all accounts, and so on.

For example, login attempts generated by a traditional brute-force attack look like this:

username: john, password: password
username: john, password: password1
username: john, password: password2
username: john, password: password3
username: chris, password: password
username: chris, password: password2
username: chris, password: password3
username: chris, password: password4

While the login attempts of a password spraying attack look like this:

username: john, password: password
username: chris, password: password
username: dave, password: password
username: richard, password: password
username: john, password: password2
username: chris, password: password2
username: dave, password: password2
username: richard, password: password2

By trying the same password on a large number of accounts, attackers can naturally space out the guesses on every single account. And because many users use weak passwords, it is possible to get a hit after trying just a few of the most common passwords.

Using Hydra to spray passwords

Now let’s spray some passwords to learn how the attack works!

We will be using Hydra to execute our attack. Hydra is an authentication brute-forcing tool that can be used for many protocols and services. It can help us automate our password spraying attack!

Installing Hydra

First, let’s install Hydra. If you are using Kali Linux, a version of Hydra is already installed. Otherwise, you can run this command.

sudo apt-get install hydra

You can also build Hydra from its source. To install from source, you first have to download Hydra here:

Hydra on Github

Then, go into Hydra’s directory and run these commands.

make install

Preparing wordlists

Before you start spraying for passwords, you have to collect a list of usernames and a list of passwords to use.

For usernames, consider using a generic username list like one of these.

SecLists usernames

This list contains many of the most common usernames and default account-names. If you are targeting a specific organization, you might want to perform some recon to collect usernames to make your attack more effective. You can also collect usernames by using techniques like Google Dork.

And you can find is a list of the most commonly used passwords here.

SecLists passwords

Running Hydra to spray passwords

Armed with our usernames and passwords, let’s start spraying for passwords! Here’s the basic syntax for a Hydra command:


For example:

hydra -L users.txt -P passwords.txt ssh

Since this is a password spraying attack and not a normal brute-force attack, we need to use the -u flag. This flag tells Hydra to try each password for every user first, instead of trying every password on a single user before moving on to the next user. So, you can launch a password spraying attack by running:

hydra -L users.txt -P passwords.txt ssh -u

I also recommend using the -V flag to turn on verbose output, so that you can see the password spray in action!

hydra -L users.txt -P passwords.txt ssh -u -V


Password spraying is an attack that malicious hackers use to bypass policies that thwart brute-force attacks, such as account lockout. These attacks are simple to execute, and often yield effective results.

Vickie Li