While there are exceptions to the rule, most online businesses use passwords to secure user accounts. When a new user decides to open virtually any online account, they’re prompted to select a password. In theory, this password should protect the account from intruders.
Unfortunately, just as physical locks can be picked with the right tools, so can digital locks protected by passwords. Since the dawn of the internet, hackers and other bad actors have used password attacks to target this inherent vulnerability and initiate account takeovers.
Bad actors often use two types of password attacks in particular: credential stuffing and password spraying. While these attacks share a number of similarities and are closely related, there are important differences between the two.
Below, we define both credential stuffing and password spraying, take a look at their similarities and differences, and explore how to protect your users (and business) against these attacks.
What is credential stuffing?
Credential stuffing is a type of password attack in which a bad actor gains access to a user’s credentials for one online account, and then tries to use those credentials to access other online accounts.
By some estimates, the average person has between 70 and 80 online accounts, each of which must be protected by a password.
In an ideal world, each of these passwords would be unique. Unfortunately, most people reuse the same password (or variations of the same password) for multiple accounts, which opens up the possibility for credential stuffing attacks.
In a credential stuffing attack, the credentials (username, email address, password) an individual uses to access their online account become compromised in some way — commonly, due to an online leak. Knowing that credentials are often reused for multiple accounts, a hacker then attempts to use the credentials to access other accounts that may be held by the individual. If those credentials don’t work, the hacker may also attempt common variations of the known password — for example, by swapping certain letters for numbers, or adding in punctuation.
Credential stuffing can be performed manually. But because it’s usually a numbers game, many hackers use botnets to carry out their attacks.
As an example, imagine that a hacker has gained access to an individual’s LinkedIn credentials. The hacker knows the individual’s username, email address, birthday and password: bethany1234. Using this information, the hacker might then attempt to log in to the individual’s other accounts, such as their Facebook account or online bank account. If bethany1234 doesn’t work, they may attempt common variations such as:
They continue trying new variations until they either gain access to the account or are locked out of it by security protocols. Then, they’ll move onto another website until they’ve exhausted all possibilities.
What is password spraying?
A password spraying attack is a type of password attack in which a bad actor doesn’t know an individual’s password, but instead cycles through a list of the most commonly-used passwords to attempt to log in to a user’s account.
As mentioned above, the average person has dozens of online accounts, each of which requires a password. Of course, remembering all of these passwords can be difficult, so some individuals opt to use common or easy-to-remember passwords when opening a new account. While there are many examples, some of the most commonly-used passwords include:
Usually, a hacker attempts to log into many different accounts using a single password (i.e., “spraying” the password at many accounts with the hopes that it will stick to one of them). Once they have worked through their list of target accounts with the first password, they then move onto the next password, repeating the process. This method sometimes helps the hacker avoid being locked out of an account due to having too many failed log-in attempts.
A password spraying attack might look something like this:
- Username: Tim, Password: qwerty
- Username: Jenna, Password: qwerty
- Username: Zoey, Password: qwerty
- Username: Tim, Password: password
- Username: Jenna, Password: password
- Username: Zoey, Password: password
- Username: Tim, Password: abc123
- Username: Jenna, Password: abc123
- Username: Zoey, Password: abc123
As with credential stuffing, password spraying can be accomplished manually or automatically using bots.
What’s the difference between credential stuffing and password spraying?
The primary difference between credential stuffing and password spraying is:
- In credential stuffing attacks, the hacker has access to a set of valid credentials which they use to attempt to log into secondary accounts.
- In password spraying attacks, the hacker does not have access to known credentials. Instead, they try to log into a user account with commonly used passwords. As such, password spraying tends to be a less-targeted attack compared to credential stuffing.
Otherwise, credential stuffing and password spraying are very similar. They are both forms of brute force password attacks, they can both be performed manually or via bots, and they can both be used to cause tremendous harm to your users and business.
Other types of password attacks
It’s worth noting that password spraying and credential stuffing aren’t the only types of password attacks out there. There are many other types of attack you should also be aware of, including:
- Man-in-the-middle attacks
- Brute force attacks
- Phishing attacks
- Keylogger attacks
- Traffic interception
- Rainbow table attacks
- Credential harvesting
How to prevent credential stuffing and password spraying
While password spraying and credential stuffing are different types of password attacks, they are closely related to one another. As such, they can both potentially be mitigated and prevented in similar ways. Below are some methods you can use to prevent credential stuffing and password spraying attacks at your business.
Don’t allow users to open an account with commonly-used passwords.
It’s very easy to find lists of the most commonly-used passwords. With this in mind, you can set password creation policies that specifically do not allow your users to use these common passwords. If a user attempts to use such a password, you can prompt them to select a different (more difficult or less common) password. Implementing such a policy can help you preempt password spraying attacks before they even become an issue.
Likewise, the simple act of educating users about the importance of using unique passwords when they create an account can be an effective means of reducing their vulnerability to credential stuffing attacks.
Screen for leaked credentials.
A number of services allow businesses to compare their database of user credentials against databases of known compromised credentials. By periodically screening against such databases, you can preemptively identify and lock vulnerable accounts, then prompt the user to update their password.
Limit the number of log-in attempts allowed.
Many businesses combat credential stuffing by limiting the number of times someone can unsuccessfully attempt to log into an account. Once this limit is reached, the account is locked and the user must follow a specific set of steps to unlock the account, which can be very successful in deterring attacks.
Use a firewall to protect your business.
Web application firewalls (WAF) are designed to detect abnormal traffic that tends to come from botnets. Because both password spraying and credential stuffing commonly leverage bots to carry out attacks, a firewall can therefore be an effective means of stopping such attacks.
Implement liveness detection to limit bots.
In addition to implementing a firewall, there are other steps that you can take to filter out log-in attempts carried out by bots, such as implementing CAPTCHAs and honeypot fields as a part of your log-in process.
Consider collecting and evaluating passive and behavioral signals.
When a user provides a password as a part of the log-in process, that is known as an active signal because it is actively supplied by the user. While active signals are important, they’re not the only type of signal that you can collect and analyze. You might also consider collecting:
- Passive signals: These are signals provided by a user’s device in the background. Examples include an individual’s device fingerprint, IP address, location data, meta data, and more.
- Behavioral signals: These signals are based on how a user interacts with a log-in page or form. Examples include the speed at which a form is filled in, the use of developer tools, copy and paste, mouse clicks, keyboard strokes, and more.
Passive signals and behavioral signals can be leveraged to detect bots and other types of suspicious activity. For example, if you detect that login attempts are being completed using copy and paste functionality, it may be indicative of a bot attack. Likewise, a single IP address being used to attempt to log in to multiple different accounts is a common sign of password attacks.
Implement two-factor (2FA) or multi-factor authentication (MFA).
Two-factor authentication, also called multi-factor authentication, simply refers to authentication measures that require a user to provide a secondary form of authentication in addition to a password. Types of two factor authentication include:
- Knowledge-based authentication (KBA): The user is asked to supply additional information in addition to their password, such as by answering a security question.
- Possession-based 2FA: The user must have access to a trusted device, such as a phone that receives a one-time code by text or from an app such as Google Authenticator.
- Biometric-based 2FA: The user provides a selfie to authenticate themselves.
Implementing two-factor authentication can be an extremely powerful means of preventing credential stuffing and password spraying attacks. According to a study conducted by Google, it can prevent 100% of automated password attacks carried out by bots.
Protecting your business and your users
Most experts agree that it can be dangerous to rely upon a single security measure to protect and secure your business. The general advice is to incorporate multiple, complementary measures and techniques into your security toolkit.
One way you can do this is by pairing two-factor authentication with a robust identity verification platform that offers you the insight you need to understand who your users are. Such insights can help you to identify suspicious behavior, such as fraudulent log-in attempts.
Here at Persona, our Verifications solution was designed to be highly customizable so you can build the verification process that makes sense to your business. Collect and evaluate passive and behavioral signals that may indicate fraud, such as a user's device fingerprint, location data, and more to gain a truly holistic view of your customers.
Meanwhile, our Graph solution empowers you to easily find, visualize, and act on groups of accounts connected by common properties, such as IP addresses or device fingerprints. This can help you identify and proactively fight potential fraud rings within your database.