Users now have an average of 100 digital accounts, which means 100 logins and 100 passwords to track, manage, and secure.
Not surprisingly, attackers recognize the potential opportunities of this growing online landscape: If they can steal (or guess) user passwords, they can gain access to everything from banking to e-commerce to business networking accounts.
But it doesn't stop there: Armed with one set of credentials, attackers are well-positioned to expand their impact since users trying to manage many accounts often take the same approach: They use similar (or identical) usernames and passwords to simplify the process. The problem? This also makes it easier for attackers to gain and exploit access.
Two common approaches to digital account compromise are credential stuffing and password spraying. Here's a look at how they work, where they overlap, and what businesses can do to reduce their potential risks.
What Is Credential Stuffing?
Credential stuffing uses stolen login and password data to access user accounts. This data may be obtained by convincing users to share protected data, by direct exfiltration using malware tools, or by purchase on Dark Web marketplaces that sell user credentials to malicious actors.
Definition and explanation of credential stuffing
Credential stuffing starts with attackers obtaining user logins and passwords. Phishing emails are one common way to achieve this goal. Malicious actors send employees legitimate-looking emails that ask them to update or change their usernames and passwords. When users click through on the provided link, they're taken to a spoof site that records their login data and uses it to compromise accounts.
Once attackers are inside user accounts, they can access anything that users can access, from privileged information to corporate contact lists or even financial data.
How hackers use stolen credentials in credential stuffing attacks
Hackers use stolen credentials to access user accounts. For example, if cybercriminals discover that Bob@Company.com uses the password 12345678 to access protected business networks, they can take over his account, lock him out, and begin stealing or encrypting company data.
Bob, however, also uses the same email address and password for multiple accounts including personal banking, e-commerce, and even his taxes. Credential stuffers leverage automated software solutions to try credentials across multiple accounts; each successful attempt is another account they can compromise and commandeer.
Real-world examples of credential stuffing attacks
Bob is hypothetical, but credential stuffing attacks are increasingly common in the real world as users' digital footprints continue to grow. Consider the case of DNA genetic testing company 23andMe. In 2023, a malicious actor used credentials stolen from other sites to access 14,000 23andMe accounts. Once the attacker gained entry, they stole personal history and genetic data from millions of users and then sold this data online.
What's interesting about this attack - and many other credential stuffing attacks - is that the failure point wasn't the origin. The stolen credentials didn't come from 23andMe, instead, users choosing the same details across multiple sites made it possible for attackers to compromise millions of accounts.
Worth noting? Because accounts in credential stuffing attacks are accessed using the correct usernames and passwords, security programs and other tools may not flag these behaviors as an attack, in turn making it more difficult for security teams to pin down the source of data compromise.
Tools used in a credential stuffing attack
There are several common tools used in a credential stuffing attack.
First are bots capable of delivering hundreds or thousands of phishing emails simultaneously. If attackers can convince even one user to share their login details, they can start stuffing credentials across multiple accounts. The more accounts they access, the larger their potential pool of data, and the greater their impact.
What Is Password Spraying?
Password spraying is all about speed: Trying multiple username and password combinations across multiple accounts until attackers find one that works. Unlike credential stuffing, this attack comes from a place of general rather than specific knowledge. While attackers don't know exactly what passwords users have chosen, they do know which passwords are the most common.
Definition and explanation of password spraying
Password spraying tests common passwords across multiple accounts in an effort to find a combination that works.
According to 2024 data, common is the operative word for many passwords. For example, in the United States, the most commonly hacked password was "password". In Germany, Italy, and Spain, the most common password failure point was "123456". Other common examples include slight variations such as "passw0rd" or "12#45678" - while these include a number and symbol, respectively, they're no more secure.
Techniques used in password spraying attacks
Rapid-fire, multitarget approaches are the primary techniques used by password stuffing attackers. By spreading attacks across multiple accounts and services, attackers lower the chance of being accidentally locked out of user access pages or flagged as malicious.
Consider a banking website that gives users 5 attempts to input the correct username and password combination before locking them out. If attackers concentrate their efforts on this site and fire password after password at these accounts, security software will quickly recognize that something is wrong.
If, however, they spread attacks out across multiple sites and only make one or two attempts per account, defensive solutions will likely view these efforts as legitimate users simply forgetting their password and coming back later to try again.
Common targets and motivations for password spraying attacks
Attackers are motivated to use password spraying attacks because they work. If they can compromise even a single account, they can often leverage these details to access multiple accounts across different websites. With credential data in hand, attackers can carry out actions such as making purchases on user credit cards, transferring money from user bank accounts, or leveraging compromised accounts to compromise other users within business networks.
Some of the most common targets for password spraying attacks include virtual private network (VPN) providers, web-based email applications, and e-commerce sites.
Tools used in password spraying
Automated tools are key to password spraying efforts. First, attackers obtain a list of usernames from public sources such as corporate directories or Dark Web sites that sell this data online. Then, they select a set of common passwords and use an automated tool to pair these two sets and test them out on multiple sites.
For example, criminals might obtain a list of credentials that include Alice@place.com, Bob@place.com, Charlie@place.com, and Dave@place.com. Using an automated tool, attackers try these usernames and "password" to see if they can gain access. If not, they repeat the process with ad different password until they get a match.
Differences Between Credential Stuffing and Password Spraying
While credential stuffing and password spraying both leverage usernames and passwords to attempt compromise, their goals and methods are not identical.
Overview of the attack methods and their goals
Credential stuffing uses known data to access accounts and then attempts to access other accounts on other sites using this same data. In password spraying attacks, meanwhile, lists of usernames are leveraged to try out multiple common passwords and see what sticks.
Key differences in execution and success rates
The primary difference in execution between spraying and stuffing attacks is scope. Spraying attacks use large credential and potential password lists across multiple sites in an effort to find a match, then leverage this match to find more points of compromise.
Stuffing attacks, meanwhile, start with a clear target. Attackers know that they can access one account, and then use this data to target the same user across multiple accounts.
Because of this difference in approach, success rates are also different. When it comes to password spraying attacks, success rates tend to hover around 1%. Credential stuffing attacks, meanwhile, have a higher initial success rate but a lower long-term rate since they're using the same credentials across multiple sites rather than trying multiple iterations.
Impacts on targeted systems and users
If accounts are compromised via stuffing or spraying attacks, criminals can leverage this access to lock out legitimate users, steal business data, or install malicious tools. Depending on the type of attack carried out, companies may face challenges with system performance as attackers expand across networks or discover that key data and assets have been stolen or encrypted.
How Credential Stuffing and Password Spraying Overlap
Both credential stuffing and password spraying use a rapid-fire approach to infiltrate systems and gain access. The primary difference is what malicious actors know.
In the case of stuffing attacks, criminals know both usernames and passwords and attempt to "stuff" these passwords into as many login portals as possible. In the case of password spraying, meanwhile, cyberattackers leverage user behavior to predict common passwords; combined with publicly available email directories, attackers are often able to find a username/password combination that works.
Result of weak password security
While the methods differ, credential stuffing and password spraying have the same root cause: Weak password security.
In the case of credential stuffing, attacker success relies on the repeated use of passwords across multiple accounts. When it comes to password spraying, the user's tendency to pick simple, easily guessed passwords provides the catalyst for access.
Preventing Credential Stuffing and Password Spraying
Because these attack methods share a common root, protection starts the same way: Improving password security. The fewer passwords attackers are able to guess or steal, the lower their chances of successfully compromising business networks.
Best practices for strong and unique passwords
Several best practices are effective in helping users create strong passwords.
First, companies need to clearly define password requirements. These requirements should include a minimum length - 8 characters or more is ideal- along with requirements for symbols or numbers in addition to letters.
Next, it's critical to educate staff about password best practices. These practices include choosing passwords that are easy to remember but hard to guess, not repeating previous passwords, and not using the same password across multiple accounts.
Finally, businesses should implement tools to help reduce the risk of successful attacks. These tools include password managers that help lower the chance of repeated or easy-to-guess passwords, and detection tools that can spot multiple login attempts.
Implementing multi-factor authentication to mitigate attacks
One critical tool in the fight against credential stuffing and password spraying is multi-factor authentication or MFA. This security technique requires users to provide an additional piece of information, or factor, before granting account access. For example, along with usernames and passwords, staff might be required to provide a one-time code or biometric data such as a fingerprint. MFA efforts significantly reduce the risk of stuffing and spraying attacks since usernames and passwords aren't enough to grant access on their own.
Role of password managers like LastPass in preventing credential-based attacks
Password managers such as LastPass can also help reduce the risk of credential-type attacks. For example, while LastPass automatically fills in credentials on trusted websites, it will not do so on unrecognized websites.
In addition, LastPass offers a powerful password generation tool that makes it easy for users to create secure, random passwords.
Bottom line? Credential stuffing and password spraying attacks are common threat vectors that require only occasional success to compromise business security. Protect accounts and critical assets with password best practices and powerful password tools.
Stop the stuff and keep the spray away with LastPass. Start your free trial today.
