Microsoft talks password sprays, attack vectors, and how you can stay protected online

Microsoft Logo at Ignite
Microsoft Logo at Ignite (Image credit: Windows Central)

What you need to know

  • Microsoft DART (Detection and Response Team) has a PSA for PC users on what password sprays are.
  • Password sprays attempt to match lots of usernames with common passwords in the hope of infiltrating as many accounts as possible.
  • Microsoft recommends multifactor authentication (MFA) as well as other methods to combat being the victim of a threat actor's password spray.

Cybercrime is everywhere online, and having even a single account with a username and password means you're a hypothetical victim in the making. No password is invulnerable, after all. That's why Microsoft has taken the time to whip up a blog post on the topic of password sprays, how they affect you, and what you can do to prevent yourself from getting got.

The long and short of a password spray is this: It's when a threat actor gathers a list of usernames and common passwords and tries them against each other in hopes of stumbling upon correct combos. Microsoft outlines two different kinds of password sprays in its security blog post:

  • Low and slow: Patience is key for a determined threat actor. The most sophisticated password sprays will use several individual IP addresses to attack multiple accounts at the same time with a limited number of curated password guesses.
  • Availability and reuse: With a new breach being announced publicly every month, the amount of compromised credentials posted on the dark web is rising rapidly. Attackers can utilize this tactic, also called "credential stuffing," to easily gain entry because it relies on people reusing passwords and usernames across sites.

Microsoft DART has seen a rise in password spray attacks within certain groups and has guidance on how people can effectively combat them without needing to know what "correct battery horse staple" is (spoiler: It's a password selection methodology centered around utilizing strange phrases). Two big items on Microsoft's guidance list are MFA (multifactor authentication) as well as dropping traditional passwords altogether. You can check out the company's blog post for further advice and details.

Robert Carnevale

Robert Carnevale is the News Editor for Windows Central. He's a big fan of Kinect (it lives on in his heart), Sonic the Hedgehog, and the legendary intersection of those two titans, Sonic Free Riders. He is the author of Cold War 2395. Have a useful tip? Send it to