Microsoft talks password sprays, attack vectors, and how you can stay protected online

News
By published

Want to learn what a "correct battery horse staple" is?

Microsoft Logo at Ignite
Microsoft Logo at Ignite (Image credit: Windows Central)

What you need to know

  • Microsoft DART (Detection and Response Team) has a PSA for PC users on what password sprays are.
  • Password sprays attempt to match lots of usernames with common passwords in the hope of infiltrating as many accounts as possible.
  • Microsoft recommends multifactor authentication (MFA) as well as other methods to combat being the victim of a threat actor's password spray.

Cybercrime is everywhere online, and having even a single account with a username and password means you're a hypothetical victim in the making. No password is invulnerable, after all. That's why Microsoft has taken the time to whip up a blog post on the topic of password sprays, how they affect you, and what you can do to prevent yourself from getting got.

The long and short of a password spray is this: It's when a threat actor gathers a list of usernames and common passwords and tries them against each other in hopes of stumbling upon correct combos. Microsoft outlines two different kinds of password sprays in its security blog post:

  • Low and slow: Patience is key for a determined threat actor. The most sophisticated password sprays will use several individual IP addresses to attack multiple accounts at the same time with a limited number of curated password guesses.
  • Availability and reuse: With a new breach being announced publicly every month, the amount of compromised credentials posted on the dark web is rising rapidly. Attackers can utilize this tactic, also called "credential stuffing," to easily gain entry because it relies on people reusing passwords and usernames across sites.

Microsoft DART has seen a rise in password spray attacks within certain groups and has guidance on how people can effectively combat them without needing to know what "correct battery horse staple" is (spoiler: It's a password selection methodology centered around utilizing strange phrases). Two big items on Microsoft's guidance list are MFA (multifactor authentication) as well as dropping traditional passwords altogether. You can check out the company's blog post for further advice and details.

CATEGORIES
Robert Carnevale
Robert Carnevale

Robert Carnevale is the News Editor for Windows Central. He's a big fan of Kinect (it lives on in his heart), Sonic the Hedgehog, and the legendary intersection of those two titans, Sonic Free Riders. He is the author of Cold War 2395. Have a useful tip? Send it to robert.carnevale@futurenet.com.

Read more
The Microsoft logo on a smartphone and laptop arranged in Crockett, California, US, on Friday, Dec. 29, 2023.
Massive Microsoft account security change almost snuck out without enough warning
Downloading Google Chrome in Microsoft Edge
Would you trust AI to change your browser passwords automatically? Google thinks you will.
Microsoft Edge Scareware blocker
How to enable Edge's Scareware blocker and protect yourself from online scams
Microsoft CEO Satya Nadella in front of the Microsoft Copilot AI logo.
Windows 11 pirates have a new and unlikely ally — Microsoft Copilot
Outlook Client Hero
Did Microsoft just try to gaslight us? The tech giant has seemingly backtracked on changes to the account sign-in experience.
Windows 11 Defender file manual scan
How to scan files manually for virus infection on Windows 11
Latest in Microsoft
Cloud servers
Microsoft has killed "several" data center projects in the U.S. and Europe, according to reports — Microsoft responds (Updated)
Steve Ballmer and Bill Gates, former CEOs of Microsoft.
Bill Gates says Satya Nadella almost missed the cut for CEO of Microsoft — Even with Steve Ballmer's support
HP Reverb G2 VR headset
Was Windows Mixed Reality as bad as I remember? I look back at the failed VR platform that was ahead of its time.
Microsoft Majorana 1 chip designed for quantum computing
Microsoft dismisses quantum computing skepticism: "There is a century-old scientific process established by the American Physical Society for resolving disputes"
The Microsoft logo on a smartphone and laptop arranged in Crockett, California, US, on Friday, Dec. 29, 2023.
"Would you say there is a reasonable balance between what you contribute to Microsoft and what you get in return?" Two-thirds of Microsoft employees say YES — as AI engineers get preferential compensation packages.
Like a Dragon Pirate Yakuza in Hawaii screenshot
Microsoft blocks (some) Windows 11 pirates while Lenovo steals the show at Mobile World Congress
Latest in News
Call of Duty: Black Ops 6 Zombies mode screenshots for Shattered Veil map.
The next Call of Duty Zombies map, "Shattered Veil", is dropping earlier than expected
Helldivers 2
The new Helldivers 2 Illuminate Major Order is so important that we got a new stratagem for it
Hogwarts Legacy troll hero image
Hogwarts Legacy DLC reportedly canceled by WB Games
Tom Clancy's Rainbow Six Siege
Rumored Ubisoft and Tencent agreement comes to fruition with 25% stake and new division for the Assassin's Creed developer
In-game screenshot of the player consuming an enemy in Shadow Labyrinth
This isn't your grandpa's Pac-Man — Bandai Namco's iconic character gets a gritty new action game this Summer
Key art for Dragon Quest 1 and 2 HD-2D remake
Every PC and Xbox game shown off during Nintendo Direct March 2025