Skip to content

Password spraying vs. credential stuffing: why the difference matters


Reuse your passwords at your own peril.

Password spraying, credential stuffing, and other brute force cyberattacks are often used by cyber attackers as a lower-effort way to breach accounts, and they depend on low user credential hygiene to pull this off.

While password spraying and credential stuffing are both forms of brute-force password attacks—they are not the same. Password spraying involves using a common or easily guessed password against multiple accounts, whereas credential stuffing involves using credentials stolen or leaked from one account in an attempt to breach other accounts.

Diagram: Password spraying vs. credential stuffing

Password spraying and credential stuffing attacks can result in unauthorized access, fraudulent transactions, and system downtime. Cybercriminals are likely to try both techniques to penetrate your organization. While these types of cyberattacks are closely related, key differences in their mechanics mean you’ll want to implement different security controls to combat them.

In this blog, you’ll learn the difference between password spraying and credential stuffing attacks and see how examples of recent attacks have impacted organizations. To reduce your risk, you’ll get how-to advice on identity security controls and credential management best practices that you can start implementing right away.

Password spraying and credential stuffing attacks are a numbers game

Password spraying and credential stuffing are both forms of brute-force password attacks, a hacking method that cracks passwords, login credentials, and encryption keys to gain initial access.

Automation is making it easier for cybercriminals to carry out these types of attacks at scale. For example, threat actors can employ automated scripts and botnets to carry out phishing attempts, develop malware that evades detection, and analyze large datasets of stolen information. They also use automated tools to unlock multiple enterprise systems, exploiting the tendency of users to reuse passwords across workstations, applications, databases, and servers (aka “password recycling”).

Let’s review each type of attack technique in depth so you can see the difference.

Password spraying

In a password spraying attack, attackers don’t have access to credentials, so they make an educated guess. Through trial and error, they eventually hit on a username-password pair that unlocks an entry point. Password spraying attacks are successful because many people use weak and easily guessable passwords that rely on commonly used combinations (12345, passsword123, QWERTY, etc.).

Diagram: Password Spraying

Threat agents can also use open-source intelligence (OSINT) or social engineering to gather information that may help them guess a password—say a birthday or a child’s name. In that sense, password spraying attacks tend to be more targeted than credential stuffing. For example, a threat agent may want to enter a particular organization or system, so they train on understanding known users or system administrators with high levels of privileged access.

Examples of password spraying attacks

Russia-backed hacking group known as Midnight Blizzard employed password spraying to breach Microsoft’s corporate network, the company disclosed at the beginning of 2024. They exploited a weak password to access sensitive emails and documents of security and legal teams.

It’s important to note that this password-spraying attack compromised a legacy non-production test tenant account to gain a foothold. The cybercriminals then leveraged those permissions to access the email accounts.

How to combat password spraying attacks

There are several ways you can prevent password spraying attacks:

Strong passwords: The primary defense against password spraying attacks is ensuring every user within your organization creates strong passwords that are difficult to guess. For best practice guidance about password length and complexity, look to regulatory compliance requirements. For example, to be PCI compliant, passwords must contain both alpha and numeric characters and have a minimum length of seven characters, among other requirements.

Awareness training: Make sure users understand the importance of strong password management and know how to avoid social engineering attempts that can put their passwords at risk. They should never store passwords in unsafe places or share them with other people.

Automation: Rather than rely on users to create their own passwords, look for software that can take the onus off their shoulders. Enterprise password vaults and Privileged Access Management solutions automatically generate unique passwords that meet compliance requirements, using a random mix of characters.

Comprehensive oversight: Make sure you can track the “effective access” of every privileged user. Remember that their credentials may unlock legacy and test systems as well as production.

Credential stuffing

In a credential stuffing attack, cybercriminals leverage leaked or stolen credentials to gain access. According to the Verizon Data Breach Investigations Report, 31% of breaches in past 10 years involved stolen credentials. Credential stuffing accounts for 34% of all login attempts, Okta reports.

Diagram: Credential StuffingThere are numerous ways attackers get their hands on valid credentials. They may obtain lists of usernames and passwords from data breaches, phishing or malware campaigns, purchase them on the Dark Web through Initial Access Brokers, or find them on libraries and code repositories such as GitHub.

Examples of credential stuffing attacks

Credential stuffing attacks most commonly target retailers and ecommerce, according to Okta. Significant attack volumes also occurred in education, energy, financial services, and software/SaaS industries. Two recent examples of credential stuffing attacks illustrate how they work and the consequences.

North Face experienced a credential stuffing attack in 2022 that compromised about 200,000 accounts in the brand's online shop. Attackers used valid credentials to log into the back end of the ecommerce platform and access customer information.

Roku warned 576,000 accounts were compromised in credential stuffing attacks in March 2024. The company said attackers used credentials stolen from other online platforms, leveraging Open Bullet 2 or SilverBullet cracking tools to compromise Roku accounts, which are then sold for about 50 cents on illegal marketplaces.

How to combat credential stuffing attacks

To prevent and contain credential stuffing attacks, there are numerous identity security controls you can employ:

Change passwords frequently: That way, even if a cybercriminal has gotten ahold of stolen credentials, they will no longer work. In addition to scheduled changes, you may also want to rotate credentials ad-hoc, so that criminals can’t anticipate your moves.

Multi-factor authentication: MFA adds a layer of security to validate that people attempting to log into your systems are who they claim to be. It requires a user to provide evidence of their identity with something they have (like an authentication code on their phone) or something they are (like biometrics such as fingerprint). Even if an attacker has obtained valid credentials and is masquerading as an authenticated user, MFA can unmask them.

Don’t expose credentials on endpoints: Eliminate ways for criminals to obtain credentials. For example, instead of allowing remote users to log into VPNs or servers directly using a username and password pair, you can create a secure access route through a browser-based solution like Delinea’s Privileged Remote Access that injects credentials directly from your password vault.

Don’t keep credentials in code: Ensure you don’t retain default credentials in software or application libraries or hardcode them in any applications or scripts you build. Instead, store credentials in your central vault. Solutions like Delinea DevOps Secrets Vault enable immediate app-to-app communications and app-to-database access without hardcoding credentials.

Enterprise PAM helps prevent credential-based attacks

As you’ve seen, having an enterprise password vault or PAM solution can help you avoid both password spraying and credential stuffing attacks.

But what if one does happen? In that case, PAM solutions help you contain it. By using granular authorization controls that limit access according to the Principle of Least Privilege, you can define exactly what permissions credentials will unlock. You can set all access to the minimum level unless otherwise authorized through privilege elevation controls that require additional levels of verification and approval. That way, even if an attacker successfully logs in with credentials to gain initial access, they can’t do much damage to your organization.

In addition, PAM solutions give you comprehensive oversight through session monitoring. You can see when credentials are used and under what conditions, so that you can identify any irregularities. Let’s say you spot a sudden burst of credential usage—a hallmark of a credential-based attack—you can quickly rotate credentials automatically, enforce MFA, or even revoke access entirely.

With the right solutions, you can reduce the risk of password spraying and credential stuffing and avoid the consequences. As a next step, try Delinea Secret Server for free and check out its password management capabilities.

Secret Server Trial

IT security should be easy. We'll show you how

Try Secret Server and experience how fast and easy IT security products can be.