Password spraying is an online password attack where an adversary tries a small set of common passwords against many different accounts, aiming to avoid the lockouts that come from hammering one account, a pattern flagged in AP Cybersecurity topic 1.2.
Password spraying flips the usual brute-force playbook. Instead of throwing thousands of guesses at one username, the attacker takes one or two common passwords (think "Password123!" or "Summer2024") and tries them against a huge list of accounts. The logic is simple: in any big enough group of users, somebody picked a weak, predictable password.
This matters because of the weak-authentication patterns the CED calls out in EK 1.2.B.1. People love starting a password with a word, tacking on a two-digit year, and ending with a special character. Spraying exploits exactly that habit. And because the attacker only tries a couple of passwords per account, they sidestep the lockout rules that would trip an alarm if they pounded a single login over and over.
Password spraying lives in Unit 1: Introduction to Security, specifically topic 1.2 Suspicious Website Logins. It supports three learning objectives at once. AP Cybersecurity 1.2.A asks you to identify signs of a password attack, and spraying produces telltale signs like login attempts from unknown devices or at odd hours. AP Cybersecurity 1.2.B asks you to explain how adversaries exploit weak authentication, and spraying is the textbook example of cashing in on predictable password patterns. AP Cybersecurity 1.2.C is the defense side, where long, random, unique passwords plus MFA shut spraying down.
Keep studying AP Cybersecurity Unit 1
Visual cheatsheet
view galleryBrute force attack (Unit 1)
Both are online guessing attacks, but they aim in opposite directions. Brute force hits one account with many passwords; spraying hits many accounts with a few passwords. Spraying is basically brute force turned sideways to dodge lockouts.
Dictionary attack (Unit 1)
EK 1.2.B.2 describes building a dictionary of likely passwords from personal info. Password spraying often pulls from that same kind of list, just spreading the guesses thin across lots of targets instead of focusing on one.
Multifactor authentication (Unit 1)
MFA (EK 1.2.C.3) is the cleanest counter to spraying. Even if an attacker guesses the right password, they still need a second factor like a one-time code, so a correct guess alone gets them nowhere.
Authentication log (Unit 1)
Spraying leaves a fingerprint in the logs: many accounts each showing one or two failed logins, often from the same unknown source. Reading authentication logs is how you spot the pattern that any single account would never reveal.
Expect password spraying to show up in multiple-choice stems that describe a login scenario and ask you to name the attack or spot its signs. A classic stem describes many accounts each getting a couple of failed login attempts from an unfamiliar device, and you'd recognize spraying rather than a brute-force attack on one account. No released FRQ uses the term verbatim, but the concept maps directly to 1.2.A (identify signs), 1.2.B (explain the weak-auth exploit), and 1.2.C (recommend stronger authentication), so a free-response prompt could hand you a log and ask you to explain what's happening and how to defend against it. Your move is usually two-part: name the weakness being exploited, then prescribe long unique passwords and MFA.
A brute force attack targets ONE account and tries tons of passwords against it, which usually triggers lockouts fast. Password spraying targets MANY accounts and tries only a few common passwords each, specifically to stay under the lockout threshold and avoid setting off alarms. Same goal (get in), opposite shape (deep vs. wide).
Password spraying tries a few common passwords against many accounts, the reverse of a brute force attack that tries many passwords against one account.
It works because lots of people use predictable patterns, like a word plus a two-digit year and a special character, as described in EK 1.2.B.1.
The point of spreading guesses across accounts is to avoid lockouts and stay quiet, since no single account sees enough failed attempts to trip an alarm.
Signs include login attempts from unknown devices, at unusual times, and many accounts each showing a small number of failed logins.
The best defenses are long, random, unique passwords and multifactor authentication, which makes a guessed password useless on its own.
It's an online password attack where an adversary tries a small set of common passwords across many different accounts. It falls under topic 1.2 Suspicious Website Logins in Unit 1 and exploits the weak-authentication patterns described in EK 1.2.B.
No. A brute force attack throws many passwords at one account; password spraying throws a few common passwords at many accounts. Spraying is designed to avoid the lockouts that brute force usually triggers.
Because it only tries one or two passwords per account, it never crosses the failed-attempt limit that locks a single account. The attack stays low and wide instead of deep, which keeps it stealthy in the logs.
Use long, random, unique passwords (EK 1.2.C.1) so common guesses fail, and enable multifactor authentication (EK 1.2.C.3) so a correct password alone isn't enough to get in. Avoid names, dates, and predictable patterns.
Per EK 1.2.A.2, watch for login attempts from unknown devices, logins at unusual times, and a spread of failed attempts across many accounts rather than concentrated on one. Authentication logs are where this pattern becomes visible.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.