43

Wikipedia describes credential stuffing as

a type of cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach) are used to gain unauthorized access to user accounts through large-scale automated login. Credential Stuffing attacks are made possible because many users will reuse the same password across many sites

Interestingly there doesn't appear to be Wikipedia article on password spraying. Double Octopus describes it as

Password spraying is an attack that that attempts to access a large number of accounts (usernames) with a few commonly used passwords. Password spraying is an attack that that attempts to access a large number of accounts (usernames) with a few commonly used passwords.

It seems that password spraying and credential stuffing are similar in the objectives and approach. It isn't clear as to the discrete difference between the terms. Are there any and if yes, what would these be?

Motivated
  • 1,493
  • 1
  • 14
  • 25
  • 7
    What a hype about words. Decades ago we used those technics before anyone called it password spraying or stuffing. We just called it cracking. – Daniel W. May 02 '19 at 15:06
  • 5
    @DanielW. Yes, and now there are ways to signify particular techniques, instead of just calling it all "cracking", because someone took the trouble to pick a name for the technique. Likewise I can distinguish between the big computer I carry around with me and the small computer I carry around with me using the more-concise and specific terms "laptop" and "phone". Back in the day we'd have called them both "obviously some sort of witchcraft: please tell me more". Progress is amazing. – Steve Jessop May 03 '19 at 08:52

4 Answers4

72
  • Credential stuffing - use a bunch of usernames and passwords which are known to be associated with them to try and access multiple sites
  • Password spraying - use a list of usernames and some common passwords (which aren't known to have been used by someone with the usernames being sent) to try and gain access to a single site

The key difference is whether the password is known to be associated with the account or not, and whether the attack aims to get access to a single site, or to multiple sites.

Matthew
  • 27,233
  • 7
  • 87
  • 101
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/93095/discussion-on-answer-by-matthew-what-are-the-differences-between-credential-stuf). – Rory Alsop May 01 '19 at 11:48
  • Password spraying works excellently still because many security software system relay on blocking accounts at 'n' attempts but don't actually prevent you from trying all known accounts with a single password, which is something that can be the more successful the larger the number of accounts involved. – Overmind May 03 '19 at 12:06
25
  • Credential Stuffing - is a type of attack that relies on users reusing the same password and username combination across different applications, where at least one application is compromised. For example: say StackExchange was compromised and my account and password where leaked. Then an attacker could search other social media sites for users with the name MeowCat and try the leaked password they gained from the compromised StackExchange site.
  • Password Spraying - is a type of brute force "dictionary" attack that is primarily used on applications where accounts are locked out after a set number of incorrect login attempts. Password spraying uses known/unknown(guessed) usernames and tries a small amount of very common passwords so they do not get locked out. For example: If a program locks an account after 5 incorrect guesses, then if you incorrectly guess 5 times, there is no point in continuing to guess, as even if you get the correct password, you will not gain access. This is why a password spray will only attempt at maximum the 5 most common passwords (in this case) for any account and move on to another account (Although they typically will only use 4 and not use 5 as then the site might become suspicious if all of their users are locked out).
meowcat
  • 1,349
  • 1
  • 6
  • 16
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/93094/discussion-on-answer-by-meowcat-what-are-the-differences-between-credential-stuf). – Rory Alsop May 01 '19 at 11:48
8

I think everyone has made it clear, I am just giving in the field practical examples.

credential stuffing

This kind of attack is started through acquired leaked account credentials from an exposed source (e.g. exposed by bad website, hacking, etc). Haved I been pwned has a huge db of exposed accounts for a researcher to download.

To initiate the attack, the attacker just uses a script to skim through those exposed user credentials and trying to use it against any social network or important services platform to gain access. For example, an attacker gets a list of leaked password of Website XYZ, where user "JoeTiger" is using password "Meow@1234@7890". The attacker then just uses this information to construct a series of account names with the user name e.g. joetiger@gmail.com, joetiger@yahoo.com, etc with the same password.

Then the attacker will use this generated user name (and the mentioned password) and try login to all potential web services account, e.g. Amazon, Gmail, Linkedin, Netflix, Quara, Quicken etc using the password "Meow@1234@7890" even though the user may not using those services.

Password Spraying

This kind of attack is using the most frequently used passwords against accounts 10,000 most common passwords. To launch the attack, the attacker simply acquires any active email address list (this can be bought from darknet/ hacking/ download from exposed systems), then they use a script that brute force/cycling through the password against all the account lists until it gains access.

Effectiveness Prominent web services like Amazon, Google, etc are imposing login limits, making brute force attack less likely to be carried out over such services. To prevent a immediate login limit blocking. These attacks are mostly carried out from infected machine, i.e. Botnet to spread the attack.

Sim
  • 1,227
  • 1
  • 13
  • 21
mootmoot
  • 2,387
  • 10
  • 16
-1

To put a different spin on why these two techniques are different:

  • password spraying exploits poor choice of password

  • password stuffing exploits password reuse

Ben Aveling
  • 266
  • 1
  • 7
  • This is covered by other answers, and this answer lacks detail to make it useful. The lack of detail also makes it too ambiguous to be accurate. For instance, "stuffing" is a concept for passwords used by different account holders, not just reused by the same account holder. – schroeder Nov 07 '20 at 14:37