Credential Stuffing vs Password Spraying

29. October 2020 • edited 4. December 2020

At my employer we use Office 365. I’m not an Microsoft advocate. My friends and colleagues rather know me as Apple-Fanboy and BSD-Geek. But I have to admit that Office 365 works good enough. Even in these pandemic times when we work from home Teams and such serves very well.

As part of our security team we also encounter attacks against our user accounts. Maybe you read about that in the press: There are credential stuffing and password spray attacks going on this year against Office 365 accounts. Today I wondered what the concrete difference is between these two types of attacks. Until today I used the terms interchangeably: Its all a kind of brute force, right? No, it’s not that easy.

Credential Stuffing

This is an attack where an adversary uses a known pair of username and password to gain access. Eg. there is a password leak from the site They stored username and password in plain text. Lot of users use the same username password across many sites. So one could try to use the username and password from at Facebook, Twitter or whatever to gain access.

So credential stuffing uses a list of known username password combinations to brute-force against an authentication.

Password Spraying

In contrast this is an attack where the adversary only knows the username and tries a list of common or weak passwords with it. Eg. you know that the usernames at are same as the email addresses and you can harvest some of them from the website. Then you use a list of commonly used or weak password (eg. test1234, password etc.) together wit the usernames to gain access.

So password spraying uses a list of known usernames in combination with commonly known and/or weak passwords to brute-force authentication.

Cover image by Methi SOMÇAĞ from Unsplash.

Published under the THE BEER-WARE LICENSE.
If you like what I do you can subscribe my RSS feed or follow me on Twitter.

AuthN vs AuthZ