What are the differences between credential stuffing and password spraying?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
1
Wikipedia describes credential stuffing as
a type of cyberattack where stolen account credentials typically
consisting of lists of usernames and/or email addresses and the
corresponding passwords (often from a data breach) are used to gain
unauthorized access to user accounts through large-scale automated
login. Credential Stuffing attacks are made possible because many users will reuse the same password across many sites
Interestingly there doesn't appear to be Wikipedia article on password spraying. Double Octopus describes it as
Password spraying is an attack that that attempts to access a large
number of accounts (usernames) with a few commonly used passwords. Password spraying is an attack that that attempts to access a large number of accounts (usernames) with a few commonly used passwords.
It seems that password spraying and credential stuffing are similar in the objectives and approach. It isn't clear as to the discrete difference between the terms. Are there any and if yes, what would these be?
passwords credential-reuse
asked 1 hour ago
MotivatedMotivated
548412
add a comment |
1
Wikipedia describes credential stuffing as
a type of cyberattack where stolen account credentials typically
consisting of lists of usernames and/or email addresses and the
corresponding passwords (often from a data breach) are used to gain
unauthorized access to user accounts through large-scale automated
login. Credential Stuffing attacks are made possible because many users will reuse the same password across many sites
Interestingly there doesn't appear to be Wikipedia article on password spraying. Double Octopus describes it as
Password spraying is an attack that that attempts to access a large
number of accounts (usernames) with a few commonly used passwords. Password spraying is an attack that that attempts to access a large number of accounts (usernames) with a few commonly used passwords.
It seems that password spraying and credential stuffing are similar in the objectives and approach. It isn't clear as to the discrete difference between the terms. Are there any and if yes, what would these be?
passwords credential-reuse
asked 1 hour ago
MotivatedMotivated
548412
add a comment |
1
1
1
Wikipedia describes credential stuffing as
a type of cyberattack where stolen account credentials typically
consisting of lists of usernames and/or email addresses and the
corresponding passwords (often from a data breach) are used to gain
unauthorized access to user accounts through large-scale automated
login. Credential Stuffing attacks are made possible because many users will reuse the same password across many sites
Interestingly there doesn't appear to be Wikipedia article on password spraying. Double Octopus describes it as
Password spraying is an attack that that attempts to access a large
number of accounts (usernames) with a few commonly used passwords. Password spraying is an attack that that attempts to access a large number of accounts (usernames) with a few commonly used passwords.
It seems that password spraying and credential stuffing are similar in the objectives and approach. It isn't clear as to the discrete difference between the terms. Are there any and if yes, what would these be?
passwords credential-reuse
asked 1 hour ago
MotivatedMotivated
548412
Wikipedia describes credential stuffing as
a type of cyberattack where stolen account credentials typically
consisting of lists of usernames and/or email addresses and the
corresponding passwords (often from a data breach) are used to gain
unauthorized access to user accounts through large-scale automated
login. Credential Stuffing attacks are made possible because many users will reuse the same password across many sites
Interestingly there doesn't appear to be Wikipedia article on password spraying. Double Octopus describes it as
Password spraying is an attack that that attempts to access a large
number of accounts (usernames) with a few commonly used passwords. Password spraying is an attack that that attempts to access a large number of accounts (usernames) with a few commonly used passwords.
It seems that password spraying and credential stuffing are similar in the objectives and approach. It isn't clear as to the discrete difference between the terms. Are there any and if yes, what would these be?
passwords credential-reuse
passwords credential-reuse
asked 1 hour ago
MotivatedMotivated
548412
asked 1 hour ago
MotivatedMotivated
548412
asked 1 hour ago
MotivatedMotivated
548412
asked 1 hour ago
MotivatedMotivated
548412
asked 1 hour ago
MotivatedMotivated
548412
548412
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
2
Credential Stuffing - is a type of attack where users reuse the same password and username accross sites. For example: say StackExchange was compromised and my account and password where leaked. Then an attacker would search other social media sites for users with the name MeowCat and try the leaked password.
Password Spraying - is a type of brute force attacked that is used so that accounts do not get locked out. If a program locks an account after say 5 incorrect guesses, then a password spray will only attempt the 4 most common passwords for any account and move on to another account (They typically will not use 5 as then the site might become suspicious if all of their users are locked out).
answered 54 mins ago
meowcatmeowcat
735111
Do you mean to say password spraying is limited to a single information system and credential stuffing isn't? Additionally, does credential stuffing not take a similar approach to password attempts?
– Motivated
51 mins ago
No, credential stuffing does not take a similar approach it only uses known associated username/password combinations. Password spraying uses known/unknown(guessed) usernames and tests them against a set number of very common passwords.
– meowcat
47 mins ago
If password spraying uses known and unknown credentials, do you mean to say that with the former it is a form of credential stuffing? If there are known, why would the attack be limited to a set number of credentials or is it limited to unknown credentials? Additionally, are password spraying attacks limited to a single system?
– Motivated
43 mins ago
No, password spraying is not a form of credential stuffing. It typically uses known account names, but it could guess common usernames like bob or if there is a set style for names such as on stack you get userxxx where x is a number, they could guess by incrementing this naming convention. Password spraying is not technically limited, however it is common on systems that lock users out after a set amount of failed login attempts. So this is the limitation. Password spraying attacks are not limited to a system, you could write a script to attack multiple at once, but why?
– meowcat
29 mins ago
add a comment |
2
- Credential stuffing - use a bunch of usernames and passwords which are known to be associated with them to try and access multiple sites
- Password spraying - use a list of usernames and some common passwords (which aren't known to have been used by someone with the usernames being sent) to try and gain access to a single site
The key difference is whether the password is known to be associated with the account or not, and whether the attack aims to get access to a single site, or to multiple sites.
answered 51 mins ago
MatthewMatthew
25.4k78193
Do you mean to say that password spraying doesn't include known credentials for a spillage? Additionally, is password spraying limited to a single system?
– Motivated
49 mins ago
1
It tends not to - it uses common passwords (which may have been generated by looking at breaches elsewhere) but they aren't known to be associated with the usernames being used. They're just known to be used by a lot of users in general. You can password spray across multiple systems, but you don't benefit - better off to spray on one system, then use successful combinations on other systems, since you now know the users have used the associated passwords before.
– Matthew
43 mins ago
Can you elaborate on "better off to spray on one system, then use successful combinations on other systems, since you now know the users have used the associated passwords before"?
– Motivated
41 mins ago
If you spray a site with the passwords "Password1", "Password2" and "Password3", and find that the username "Motivated" used the password "Password3", you can then take that information, go to a different site, and immediately try that combination, rather than trying all the common passwords against the username. This is quicker, but has a decent chance of working, since you know a user with the username "Motivated" has previously used the password "Password3" on a different site.
– Matthew
16 mins ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f209266%2fwhat-are-the-differences-between-credential-stuffing-and-password-spraying%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
2
Credential Stuffing - is a type of attack where users reuse the same password and username accross sites. For example: say StackExchange was compromised and my account and password where leaked. Then an attacker would search other social media sites for users with the name MeowCat and try the leaked password.
Password Spraying - is a type of brute force attacked that is used so that accounts do not get locked out. If a program locks an account after say 5 incorrect guesses, then a password spray will only attempt the 4 most common passwords for any account and move on to another account (They typically will not use 5 as then the site might become suspicious if all of their users are locked out).
answered 54 mins ago
meowcatmeowcat
735111
Do you mean to say password spraying is limited to a single information system and credential stuffing isn't? Additionally, does credential stuffing not take a similar approach to password attempts?
– Motivated
51 mins ago
No, credential stuffing does not take a similar approach it only uses known associated username/password combinations. Password spraying uses known/unknown(guessed) usernames and tests them against a set number of very common passwords.
– meowcat
47 mins ago
If password spraying uses known and unknown credentials, do you mean to say that with the former it is a form of credential stuffing? If there are known, why would the attack be limited to a set number of credentials or is it limited to unknown credentials? Additionally, are password spraying attacks limited to a single system?
– Motivated
43 mins ago
No, password spraying is not a form of credential stuffing. It typically uses known account names, but it could guess common usernames like bob or if there is a set style for names such as on stack you get userxxx where x is a number, they could guess by incrementing this naming convention. Password spraying is not technically limited, however it is common on systems that lock users out after a set amount of failed login attempts. So this is the limitation. Password spraying attacks are not limited to a system, you could write a script to attack multiple at once, but why?
– meowcat
29 mins ago
add a comment |
2
Credential Stuffing - is a type of attack where users reuse the same password and username accross sites. For example: say StackExchange was compromised and my account and password where leaked. Then an attacker would search other social media sites for users with the name MeowCat and try the leaked password.
Password Spraying - is a type of brute force attacked that is used so that accounts do not get locked out. If a program locks an account after say 5 incorrect guesses, then a password spray will only attempt the 4 most common passwords for any account and move on to another account (They typically will not use 5 as then the site might become suspicious if all of their users are locked out).
answered 54 mins ago
meowcatmeowcat
735111
Do you mean to say password spraying is limited to a single information system and credential stuffing isn't? Additionally, does credential stuffing not take a similar approach to password attempts?
– Motivated
51 mins ago
No, credential stuffing does not take a similar approach it only uses known associated username/password combinations. Password spraying uses known/unknown(guessed) usernames and tests them against a set number of very common passwords.
– meowcat
47 mins ago
If password spraying uses known and unknown credentials, do you mean to say that with the former it is a form of credential stuffing? If there are known, why would the attack be limited to a set number of credentials or is it limited to unknown credentials? Additionally, are password spraying attacks limited to a single system?
– Motivated
43 mins ago
No, password spraying is not a form of credential stuffing. It typically uses known account names, but it could guess common usernames like bob or if there is a set style for names such as on stack you get userxxx where x is a number, they could guess by incrementing this naming convention. Password spraying is not technically limited, however it is common on systems that lock users out after a set amount of failed login attempts. So this is the limitation. Password spraying attacks are not limited to a system, you could write a script to attack multiple at once, but why?
– meowcat
29 mins ago
add a comment |
2
2
2
Credential Stuffing - is a type of attack where users reuse the same password and username accross sites. For example: say StackExchange was compromised and my account and password where leaked. Then an attacker would search other social media sites for users with the name MeowCat and try the leaked password.
Password Spraying - is a type of brute force attacked that is used so that accounts do not get locked out. If a program locks an account after say 5 incorrect guesses, then a password spray will only attempt the 4 most common passwords for any account and move on to another account (They typically will not use 5 as then the site might become suspicious if all of their users are locked out).
answered 54 mins ago
meowcatmeowcat
735111
Credential Stuffing - is a type of attack where users reuse the same password and username accross sites. For example: say StackExchange was compromised and my account and password where leaked. Then an attacker would search other social media sites for users with the name MeowCat and try the leaked password.
Password Spraying - is a type of brute force attacked that is used so that accounts do not get locked out. If a program locks an account after say 5 incorrect guesses, then a password spray will only attempt the 4 most common passwords for any account and move on to another account (They typically will not use 5 as then the site might become suspicious if all of their users are locked out).
answered 54 mins ago
meowcatmeowcat
735111
answered 54 mins ago
meowcatmeowcat
735111
answered 54 mins ago
meowcatmeowcat
735111
answered 54 mins ago
meowcatmeowcat
735111
735111
Do you mean to say password spraying is limited to a single information system and credential stuffing isn't? Additionally, does credential stuffing not take a similar approach to password attempts?
– Motivated
51 mins ago
No, credential stuffing does not take a similar approach it only uses known associated username/password combinations. Password spraying uses known/unknown(guessed) usernames and tests them against a set number of very common passwords.
– meowcat
47 mins ago
If password spraying uses known and unknown credentials, do you mean to say that with the former it is a form of credential stuffing? If there are known, why would the attack be limited to a set number of credentials or is it limited to unknown credentials? Additionally, are password spraying attacks limited to a single system?
– Motivated
43 mins ago
No, password spraying is not a form of credential stuffing. It typically uses known account names, but it could guess common usernames like bob or if there is a set style for names such as on stack you get userxxx where x is a number, they could guess by incrementing this naming convention. Password spraying is not technically limited, however it is common on systems that lock users out after a set amount of failed login attempts. So this is the limitation. Password spraying attacks are not limited to a system, you could write a script to attack multiple at once, but why?
– meowcat
29 mins ago
add a comment |
Do you mean to say password spraying is limited to a single information system and credential stuffing isn't? Additionally, does credential stuffing not take a similar approach to password attempts?
– Motivated
51 mins ago
No, credential stuffing does not take a similar approach it only uses known associated username/password combinations. Password spraying uses known/unknown(guessed) usernames and tests them against a set number of very common passwords.
– meowcat
47 mins ago
If password spraying uses known and unknown credentials, do you mean to say that with the former it is a form of credential stuffing? If there are known, why would the attack be limited to a set number of credentials or is it limited to unknown credentials? Additionally, are password spraying attacks limited to a single system?
– Motivated
43 mins ago
No, password spraying is not a form of credential stuffing. It typically uses known account names, but it could guess common usernames like bob or if there is a set style for names such as on stack you get userxxx where x is a number, they could guess by incrementing this naming convention. Password spraying is not technically limited, however it is common on systems that lock users out after a set amount of failed login attempts. So this is the limitation. Password spraying attacks are not limited to a system, you could write a script to attack multiple at once, but why?
– meowcat
29 mins ago
Do you mean to say password spraying is limited to a single information system and credential stuffing isn't? Additionally, does credential stuffing not take a similar approach to password attempts?
– Motivated
51 mins ago
Do you mean to say password spraying is limited to a single information system and credential stuffing isn't? Additionally, does credential stuffing not take a similar approach to password attempts?
– Motivated
51 mins ago
No, credential stuffing does not take a similar approach it only uses known associated username/password combinations. Password spraying uses known/unknown(guessed) usernames and tests them against a set number of very common passwords.
– meowcat
47 mins ago
No, credential stuffing does not take a similar approach it only uses known associated username/password combinations. Password spraying uses known/unknown(guessed) usernames and tests them against a set number of very common passwords.
– meowcat
47 mins ago
If password spraying uses known and unknown credentials, do you mean to say that with the former it is a form of credential stuffing? If there are known, why would the attack be limited to a set number of credentials or is it limited to unknown credentials? Additionally, are password spraying attacks limited to a single system?
– Motivated
43 mins ago
If password spraying uses known and unknown credentials, do you mean to say that with the former it is a form of credential stuffing? If there are known, why would the attack be limited to a set number of credentials or is it limited to unknown credentials? Additionally, are password spraying attacks limited to a single system?
– Motivated
43 mins ago
No, password spraying is not a form of credential stuffing. It typically uses known account names, but it could guess common usernames like bob or if there is a set style for names such as on stack you get userxxx where x is a number, they could guess by incrementing this naming convention. Password spraying is not technically limited, however it is common on systems that lock users out after a set amount of failed login attempts. So this is the limitation. Password spraying attacks are not limited to a system, you could write a script to attack multiple at once, but why?
– meowcat
29 mins ago
No, password spraying is not a form of credential stuffing. It typically uses known account names, but it could guess common usernames like bob or if there is a set style for names such as on stack you get userxxx where x is a number, they could guess by incrementing this naming convention. Password spraying is not technically limited, however it is common on systems that lock users out after a set amount of failed login attempts. So this is the limitation. Password spraying attacks are not limited to a system, you could write a script to attack multiple at once, but why?
– meowcat
29 mins ago
add a comment |
2
- Credential stuffing - use a bunch of usernames and passwords which are known to be associated with them to try and access multiple sites
- Password spraying - use a list of usernames and some common passwords (which aren't known to have been used by someone with the usernames being sent) to try and gain access to a single site
The key difference is whether the password is known to be associated with the account or not, and whether the attack aims to get access to a single site, or to multiple sites.
answered 51 mins ago
MatthewMatthew
25.4k78193
Do you mean to say that password spraying doesn't include known credentials for a spillage? Additionally, is password spraying limited to a single system?
– Motivated
49 mins ago
1
It tends not to - it uses common passwords (which may have been generated by looking at breaches elsewhere) but they aren't known to be associated with the usernames being used. They're just known to be used by a lot of users in general. You can password spray across multiple systems, but you don't benefit - better off to spray on one system, then use successful combinations on other systems, since you now know the users have used the associated passwords before.
– Matthew
43 mins ago
Can you elaborate on "better off to spray on one system, then use successful combinations on other systems, since you now know the users have used the associated passwords before"?
– Motivated
41 mins ago
If you spray a site with the passwords "Password1", "Password2" and "Password3", and find that the username "Motivated" used the password "Password3", you can then take that information, go to a different site, and immediately try that combination, rather than trying all the common passwords against the username. This is quicker, but has a decent chance of working, since you know a user with the username "Motivated" has previously used the password "Password3" on a different site.
– Matthew
16 mins ago
add a comment |
2
- Credential stuffing - use a bunch of usernames and passwords which are known to be associated with them to try and access multiple sites
- Password spraying - use a list of usernames and some common passwords (which aren't known to have been used by someone with the usernames being sent) to try and gain access to a single site
The key difference is whether the password is known to be associated with the account or not, and whether the attack aims to get access to a single site, or to multiple sites.
answered 51 mins ago
MatthewMatthew
25.4k78193
Do you mean to say that password spraying doesn't include known credentials for a spillage? Additionally, is password spraying limited to a single system?
– Motivated
49 mins ago
1
It tends not to - it uses common passwords (which may have been generated by looking at breaches elsewhere) but they aren't known to be associated with the usernames being used. They're just known to be used by a lot of users in general. You can password spray across multiple systems, but you don't benefit - better off to spray on one system, then use successful combinations on other systems, since you now know the users have used the associated passwords before.
– Matthew
43 mins ago
Can you elaborate on "better off to spray on one system, then use successful combinations on other systems, since you now know the users have used the associated passwords before"?
– Motivated
41 mins ago
If you spray a site with the passwords "Password1", "Password2" and "Password3", and find that the username "Motivated" used the password "Password3", you can then take that information, go to a different site, and immediately try that combination, rather than trying all the common passwords against the username. This is quicker, but has a decent chance of working, since you know a user with the username "Motivated" has previously used the password "Password3" on a different site.
– Matthew
16 mins ago
add a comment |
2
2
2
- Credential stuffing - use a bunch of usernames and passwords which are known to be associated with them to try and access multiple sites
- Password spraying - use a list of usernames and some common passwords (which aren't known to have been used by someone with the usernames being sent) to try and gain access to a single site
The key difference is whether the password is known to be associated with the account or not, and whether the attack aims to get access to a single site, or to multiple sites.
answered 51 mins ago
MatthewMatthew
25.4k78193
- Credential stuffing - use a bunch of usernames and passwords which are known to be associated with them to try and access multiple sites
- Password spraying - use a list of usernames and some common passwords (which aren't known to have been used by someone with the usernames being sent) to try and gain access to a single site
The key difference is whether the password is known to be associated with the account or not, and whether the attack aims to get access to a single site, or to multiple sites.
answered 51 mins ago
MatthewMatthew
25.4k78193
answered 51 mins ago
MatthewMatthew
25.4k78193
answered 51 mins ago
MatthewMatthew
25.4k78193
answered 51 mins ago
MatthewMatthew
25.4k78193
25.4k78193
Do you mean to say that password spraying doesn't include known credentials for a spillage? Additionally, is password spraying limited to a single system?
– Motivated
49 mins ago
1
It tends not to - it uses common passwords (which may have been generated by looking at breaches elsewhere) but they aren't known to be associated with the usernames being used. They're just known to be used by a lot of users in general. You can password spray across multiple systems, but you don't benefit - better off to spray on one system, then use successful combinations on other systems, since you now know the users have used the associated passwords before.
– Matthew
43 mins ago
Can you elaborate on "better off to spray on one system, then use successful combinations on other systems, since you now know the users have used the associated passwords before"?
– Motivated
41 mins ago
If you spray a site with the passwords "Password1", "Password2" and "Password3", and find that the username "Motivated" used the password "Password3", you can then take that information, go to a different site, and immediately try that combination, rather than trying all the common passwords against the username. This is quicker, but has a decent chance of working, since you know a user with the username "Motivated" has previously used the password "Password3" on a different site.
– Matthew
16 mins ago
add a comment |
Do you mean to say that password spraying doesn't include known credentials for a spillage? Additionally, is password spraying limited to a single system?
– Motivated
49 mins ago
1
It tends not to - it uses common passwords (which may have been generated by looking at breaches elsewhere) but they aren't known to be associated with the usernames being used. They're just known to be used by a lot of users in general. You can password spray across multiple systems, but you don't benefit - better off to spray on one system, then use successful combinations on other systems, since you now know the users have used the associated passwords before.
– Matthew
43 mins ago
Can you elaborate on "better off to spray on one system, then use successful combinations on other systems, since you now know the users have used the associated passwords before"?
– Motivated
41 mins ago
If you spray a site with the passwords "Password1", "Password2" and "Password3", and find that the username "Motivated" used the password "Password3", you can then take that information, go to a different site, and immediately try that combination, rather than trying all the common passwords against the username. This is quicker, but has a decent chance of working, since you know a user with the username "Motivated" has previously used the password "Password3" on a different site.
– Matthew
16 mins ago
Do you mean to say that password spraying doesn't include known credentials for a spillage? Additionally, is password spraying limited to a single system?
– Motivated
49 mins ago
Do you mean to say that password spraying doesn't include known credentials for a spillage? Additionally, is password spraying limited to a single system?
– Motivated
49 mins ago
1
1
It tends not to - it uses common passwords (which may have been generated by looking at breaches elsewhere) but they aren't known to be associated with the usernames being used. They're just known to be used by a lot of users in general. You can password spray across multiple systems, but you don't benefit - better off to spray on one system, then use successful combinations on other systems, since you now know the users have used the associated passwords before.
– Matthew
43 mins ago
It tends not to - it uses common passwords (which may have been generated by looking at breaches elsewhere) but they aren't known to be associated with the usernames being used. They're just known to be used by a lot of users in general. You can password spray across multiple systems, but you don't benefit - better off to spray on one system, then use successful combinations on other systems, since you now know the users have used the associated passwords before.
– Matthew
43 mins ago
Can you elaborate on "better off to spray on one system, then use successful combinations on other systems, since you now know the users have used the associated passwords before"?
– Motivated
41 mins ago
Can you elaborate on "better off to spray on one system, then use successful combinations on other systems, since you now know the users have used the associated passwords before"?
– Motivated
41 mins ago
If you spray a site with the passwords "Password1", "Password2" and "Password3", and find that the username "Motivated" used the password "Password3", you can then take that information, go to a different site, and immediately try that combination, rather than trying all the common passwords against the username. This is quicker, but has a decent chance of working, since you know a user with the username "Motivated" has previously used the password "Password3" on a different site.
– Matthew
16 mins ago
If you spray a site with the passwords "Password1", "Password2" and "Password3", and find that the username "Motivated" used the password "Password3", you can then take that information, go to a different site, and immediately try that combination, rather than trying all the common passwords against the username. This is quicker, but has a decent chance of working, since you know a user with the username "Motivated" has previously used the password "Password3" on a different site.
– Matthew
16 mins ago
add a comment |
draft saved
draft discarded
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f209266%2fwhat-are-the-differences-between-credential-stuffing-and-password-spraying%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
