Credential Stuffing vs Password Spraying

29. October 2020 • edited 26. January 2021

We use Office 365 in a regular basis in my company. Don’t get me wrong – I’m hardly what you’d call a Microsoft advocate. In fact, my friends and colleagues know me rather as an Apple-fanboy and BSD-Geek. But I have to admit that Office 365 works pretty well. And, in these pandemic times when we work from home, Teams and other MS products come in very handy.

As part of my company’s security team we also encounter attacks against our user accounts. Perhaps you have read about such incidents in the press: Normally these reports concern credential stuffing and password spray attacks directed at Office 365 accounts. Today, I sat down and wondered what exactly the difference was between these two types of attacks. Until now I had used the terms pretty interchangeably: They are both a kind of brute force attack, right? Actually, it’s not that simple.

Credential Stuffing

This is an attack where an adversary uses a known pair of username and password to gain access. For example, there is a password leak from the site foobar.com: They stored the username and password in plain text. Lot of users use the same username and password across many sites. So, one could try to use the username and password from foobar.com on Facebook, Twitter or whatever to gain access.

Therefore credential stuffing uses a list of known username password combinations to brute-force against an authentication.

Password Spraying

In contrast to the above, this is an attack where the adversary only knows the username and tries a list of common or weak passwords with it. E.g. you know that the usernames at foobar.com are the same as the email addresses and you can harvest some of them from the website. Then you use a list of commonly used or weak passwords (e.g. test1234, password etc.) together with the usernames to gain access.

So, password spraying uses a list of known usernames in combination with commonly known and/or weak passwords to brute-force authentication.

Cover image by Methi SOMÇAĞ from Unsplash.

SecurityAttacksPasswords
Published under the THE BEER-WARE LICENSE.
If you like what I do you can subscribe my RSS feed or follow me on Twitter.

AuthN vs AuthZ