What attack method tries a few common passwords against many different usernames to sneak past security without locking accounts?

The attack method described is called password spraying. Password spraying is a technique where an attacker tries a single, common password or a small set of very common passwords against a large number of different usernames. The primary goal of this method is to bypass account lockout mechanisms. An account lockout mechanism is a security feature that temporarily or permanently disables an account after a certain number of failed login attempts, preventing traditional brute-force attacks. A traditional brute-force attack attempts many different passwords against a single username, leading to that specific account being locked quickly. In contrast, password spraying distributes the login attempts for a specific password across many accounts. For example, an attacker might try 'Winter2023!' as a password for one username, then 'Winter2023!' for a second username, and continue this for a thousand different usernames. If that password fails for all accounts, they might then try a second common password, like 'Password123$', against the same list of usernames. This approach keeps the number of failed login attempts for any single account below its lockout threshold, which is the predetermined limit of incorrect password attempts. By using commonly known or easily guessable passwords, attackers increase the likelihood of successfully finding a valid login for at least one account. Attackers typically obtain the list of target usernames through various means, such as public information, directory enumeration, or previous data breaches.