Last updated: April 29, 2026
Why this module exists. Brute force = trying many passwords against one account → triggers lockout. Spraying = trying one password against many accounts → stays under lockout thresholds. The result of spraying every Indian enterprise’s user list with “Password@2026” is, statistically, 2-5% success — sometimes including admins.
The math
Default AD account lockout: 5 wrong passwords in 30 minutes → 30-minute lockout. Spraying never trips this because each account gets one attempt.
Empirical hit rate against typical Indian enterprises (50K+ users, mixed knowledge-worker / factory-worker / contractor base):
| Password tried | Hit rate |
|---|---|
Password@2026 |
2-5% |
Welcome@123 |
1-3% |
{CompanyName}@2026 |
3-8% |
{Season}{Year}! (Summer2026!) |
2-4% |
changeme / letmein |
0.5-1% |
2% of 50K = 1,000 accounts. Among them: at least one admin, at least one DBA, at least a few high-privilege application accounts.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.