--- title: Password spraying prevention description: Use password spraying prevention to mitigate against attacks which exploit weak or compromised passwords. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:pf_password_spray_prevent canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_password_spray_prevent.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 5, 2022 section_ids: related-links: Related links --- # Password spraying prevention Use password spraying prevention to mitigate against attacks which exploit weak or compromised passwords. Password spraying prevention adds a layer of defense against the attack pattern where bad actors try to gain access to protected resources by using the same password, typically weak or compromised, against multiple accounts from multiple locations. When enabled, PingFederate tracks the number of failed login attempts per password. When the number of failures for a particular password reaches a threshold, that password is temporarily locked out. Password spraying prevention applies to the HTML Form Adapter, the Username Token Processor, and the OAuth 2.0 resource owner password credentials grant type. While password spraying prevention can help mitigate the risk of unauthorized access, we recommend that you also enforce a good password policy and a multifactor authentication solution, such as PingID, to protect your organization from password spraying attacks. In a PingFederate clustered environment, depending on the chosen runtime state-management architecture, state information is shared across a replica set, multiple replica sets, or all nodes in the cluster. Settings for password spraying prevention are stored in the `com.pingidentity.common.security.AccountLockingService.xml` configuration file, located in the `/pingfederate/server/default/data/config-store` directory. ## Related links * [Account Locking Service](../server_clustering_guide/pf_acc_lock_service.html) * [Adaptive clustering](../server_clustering_guide/pf_adaptiv_cluster.html) * [Directed clustering](../server_clustering_guide/pf_directed_cluster.html)