Password Spraying: The Quiet Attack That Targets Your Whole Team at Once

It's 9am on a Tuesday and someone on your team is logging into your practice management system, same as always. What they don't know is that overnight, an automated script tried their username - along with every other staff member's - using a short list of common passwords. No alarms went off. No accounts were locked. And in one or two cases, it worked.

That's password spraying. It's not the dramatic Hollywood version of hacking. It's quieter, more patient, and designed specifically to avoid detection. Instead of hammering one account with thousands of password guesses - which most systems will flag and lock - attackers try one or two common passwords across hundreds of accounts. The volume stays low enough to look normal. The damage doesn't.

The attack works because password habits are predictable. A meaningful number of people at any business are using something like Summer2024 or Welcome1 or a variation of the business name. Attackers know this. They use publicly available lists of the most common passwords, run them against a list of usernames they've pulled from LinkedIn or a previous data breach, and wait. They only need one account to get in. Once they're in, they can move quietly through your systems, access client files, read emails, and set up access they can use later.

When this is handled properly, the picture looks different. Your staff are logging in through multi-factor authentication - meaning even if an attacker guesses a password correctly, they can't get in without a second verification step from the user's phone. Your login activity is monitored so that unusual patterns - like the same IP address attempting accounts across your organisation in the space of an hour - get flagged before they become a problem. And your team have done enough security awareness training to know that Password1! isn't an acceptable choice, no matter how annoying strong passwords feel. The basics of good cyber hygiene in 2025 cover exactly these kinds of controls.

None of this needs to be complicated to manage day-to-day. A good managed IT support arrangement will have these controls in place already and monitor them on your behalf. Your staff just log in. The security runs in the background.

If you're not sure whether your business has multi-factor authentication enabled, or whether anyone is actually monitoring your login activity, those are worth finding out. Password spraying attacks are specifically designed to go unnoticed - and in many cases they do, sometimes for months. CERT NZ (cert.govt.nz) handles incident reporting for NZ businesses when things go wrong, but the goal is to avoid needing them. The controls that prevent password spraying are the same ones that improve your overall security posture - so getting them sorted now makes sense regardless of whether you've seen any sign of a problem. If you want to understand what else might be exposed, finding your weak spots before hackers do is a practical next step.

ITstuffed works with professional services businesses across Canterbury on exactly this kind of thing. If you'd like a quick look at where you stand, a 15-minute IT Fit Check is a good place to start.