Credential Stuffing vs Password Spraying - What's the Difference Anyway?

Credential Stuffing vs Password Spraying - What's the Difference Anyway?
Stuff the turkey, spray the firehose. Image: Original creation. Meme: https://knowyourmeme.com/memes/anthony-adams-rubbing-hands

Passwords are a common target for cyber attackers because they are often the primary method of authentication and protection for most online accounts and systems. Gaining access to a user's password can provide an attacker with unauthorized access to sensitive data and systems, potentially leading to data breaches, identity theft, financial loss, or other harmful consequences.

Two commonly used techniques to perform attacks on passwords are 'Credential Stuffing' and 'Password Spraying'. Cool - so what?

My grievance is that for too long, I have heard these terms being used interchangeably.

Both techniques are types of brute force attacks - but vary in that they employ different strategies. Here are their key differences:

Credential Stuffing:

  • This is a method in which attackers use leaked username and password pairs obtained from a data breach on one website to gain access to accounts on another site.
  • The assumption behind this attack is that users often reuse their usernames and passwords across multiple sites.
  • Credential stuffing attacks are often automated and can be carried out at a large scale.
  • These attacks can be difficult to detect as they involve valid (though unauthorised) username/password combinations.

Password Spraying:

  • In a password spraying attack, the attacker tries a few commonly used passwords (like 'Password123', 'admin', etc.) on a large number of accounts before moving on to another password. This is done to avoid account lockouts that can occur if too many incorrect attempts are made on a single account.
  • The assumption behind this attack is that in any large set of users, there will be some who use weak and commonly used passwords.
  • Password spraying attacks typically take longer than credential stuffing attacks due to the need to avoid triggering account lockouts.
  • These attacks can also be harder to detect, as the number of attempts per account stays low, often not exceeding the account lockout threshold.

Both of these attack types can be mitigated by using multi-factor authentication, regularly monitoring accounts for suspicious activities, enforcing password complexity requirements, and educating users about the risks of password reuse and the importance of using strong, unique passwords for each of their accounts.