Credential stuffing and password spraying both abuse passwords, but they run in opposite directions. One replays known username and password pairs across many sites, betting on reuse. The other tries a handful of common passwords against thousands of accounts, betting that someone picked a weak one. Different inputs, different signatures, same underlying flaw. Both are attacks on password-based authentication, and both lose most of their power against identity-based, least-privilege access. This post explains how each works, where they differ, and the one defensive shift that blunts both.
| Attribute | Credential stuffing | Password spraying |
|---|---|---|
| Attacker input | Stolen username and password pairs from past breaches | A short list of common passwords plus harvested usernames |
| Method | Replay known-valid pairs across other services | Test one common password against many accounts |
| Primary target | Web apps, SaaS portals, APIs, SSO logins | Directory services, VPN gateways, RDP, email portals |
| Evasion | Rotating residential proxies to dodge IP rate limits | Slow timing and one attempt per account to dodge lockout |
| Account lockout risk | Low to moderate | Very low by design |
| Typical signature | Bursts of failed logins from many IPs | Sparse failures spread thinly across many accounts |
| Primary defence | Identity-based access, MFA, bot management | Identity-based access, MFA, lockout and legacy-auth controls |
What is the difference between credential stuffing and password spraying?
Credential stuffing replays full username and password pairs stolen from earlier breaches, exploiting password reuse across sites. Password spraying tries a few common passwords against many usernames, exploiting weak passwords while staying under lockout limits. Stuffing starts with known-valid credentials. Spraying guesses.
What credential stuffing is
Credential stuffing is an automated attack that replays username and password pairs leaked in previous breaches against other login interfaces. It is catalogued by OWASP as automated threat OAT-008. The attacker does not guess. They start with credentials that already worked somewhere, then bet the same person reused them elsewhere.
That bet pays off because password reuse is common. The Verizon Data Breach Investigations Report has repeatedly found that stolen credentials are the single most common way into a breach, involved in 22 percent of cases analysed, and present in 88 percent of basic web application attacks. Reuse estimates vary by dataset, but a large share of personal passwords are recycled across services, which is the entire premise the attack depends on. A leak at a low-value consumer site becomes a working key to a corporate account.
The mechanics are industrial. Attackers buy aggregated credential dumps, often called combo lists, and load them into automation tooling that tests pairs in parallel against login endpoints, SSO portals, and APIs. To get past defences that track failed attempts per IP address, campaigns route traffic through large residential proxy networks. Each pair is tried from a different household IP, so per-IP rate limits never trip. These proxy networks are built from consumer devices compromised at scale through malicious mobile SDKs and tampered hardware, which is why network-layer blocklists alone catch so little of the traffic.
What password spraying is
Password spraying inverts the logic. Instead of many passwords against one account, the attacker tries one common password against many accounts, then waits before trying the next. The goal is to find the one user in a directory who chose something predictable like a season and year, while keeping failed attempts low enough that no account locks out.
The targets are usually directory services and single points of entry that sit in front of thousands of identities. Active Directory, Entra ID, Okta, VPN concentrators, RDP gateways, and webmail portals all expose one login surface protecting many accounts. A campaign starts with username harvesting, scraping public directories and professional networks or enumerating addresses, then sprays a common password across the lot in a single low-volume sweep.
Timing is the craft. By testing only one password per account and inserting long delays, often half an hour or more, between rounds, the attacker keeps each account’s failure counter well under the lockout threshold. Microsoft’s identity telemetry has indicated that a large majority of usernames targeted in spraying campaigns also appear in historical credential leaks, so even this guessing attack feeds on past exposure. A close relative, the reverse brute force, fixes the password instead, often a default onboarding credential, and tests it across a list of harvested usernames. The variable changes, the principle does not.
The payoff is scale. Spraying needs no prior knowledge of any active password, only the statistical certainty that within 50 to 400 users, at least one account carries a weak password that still passes basic complexity rules. If that account is dormant, a service account, or privileged, the attacker gains a quiet foothold for reconnaissance and lateral movement.
The shared weak point
Strip away the mechanics and both attacks bet on the same thing: a password doing too much work. Credential stuffing wins when a password is reused. Password spraying wins when a password is weak. In both cases, the credential alone is treated as proof of identity, and that assumption is the flaw. Anything built so that a correct password equals access is exposed to both.
This is why the defensive answer is not a better password rule bolted onto the same model. It is a different model. Under identity-based, least-privilege access, a valid credential is the start of an access decision, not the end of one. The login is checked against device posture, the user is scoped to the one application they need rather than a network segment, and the session is re-evaluated as context changes. A cracked or reused password reaches very little, because the network it would have opened is no longer there to open.
Jimber’s ZTNA engine works on exactly this principle. It decouples access from authentication, so a correct password from password spraying or credential stuffing still has to clear device posture checks before any connection is granted. Unmanaged or non-compliant devices are locked out regardless of credential validity. The five rules behind this approach are set out in our guide to the Zero Trust principles every mid-market IT team should enforce. Least privilege does the rest: even a successful login lands on a single permitted application, not a flat network to roam.
How each one evades defences
The two attacks dodge detection in opposite ways, which is why a control tuned for one can miss the other. Credential stuffing is loud but distributed. It generates high volumes of failed logins, but spreads them across thousands of rotating residential IPs so no single source looks abnormal. The tell is the pattern: high failure rates paired with odd user-agent strings and impossible login geography, not the volume from any one address.
Password spraying is the opposite. It is quiet by design. Each account sees one or two failed attempts at most, which never trips a per-account lockout and barely registers on a dashboard built to flag repeated failures. The signal only appears horizontally, as the same password attempted against hundreds of accounts in the same window. Spotting it means correlating across accounts, not watching any single one. Detection that only counts failures per user will miss a well-paced spray entirely.
Neither evasion tactic survives a model that stops trusting the network. If access depends on a known device and an identity scoped to one application, a login from unfamiliar infrastructure fails the device check before the failed-attempt maths even matters.
Defences, and the honest MFA caveat
The single most effective control against both attacks is multi-factor authentication. A correct password, whether reused or guessed, is not enough when a second factor is required. Phishing-resistant MFA based on FIDO2 keys or passkeys is stronger still, because it binds the credential to the real domain. Pair it with the basics: block legacy authentication protocols like IMAP and POP3 that cannot enforce MFA and remain a favourite spraying target, enforce length over forced rotation in line with current NIST guidance, and screen credentials against known-breach databases.
But MFA is not the end of the story. Attackers have moved on to the authentication process itself. MFA fatigue floods a user with approval prompts until one is tapped by mistake. Adversary-in-the-middle phishing sits between the user and the real login, relays the session, and steals the cookie issued after MFA succeeds. Infostealer malware lifts that same session cookie straight from the browser. In each case the password and the MFA prompt are satisfied, and the attacker still gets in. Our breakdown of how AiTM phishing bypasses MFA covers the proxy technique in detail.
This is the case for layering rather than relying on any single gate. Device posture stops a stolen credential or cookie being replayed from unmanaged infrastructure. Browser isolation keeps session tokens out of reach of phishing proxies and infostealers in the first place. Least privilege caps what any single compromised account can touch. Credential stuffing and password spraying are the opening moves, and the same shift that contains them, identity-based access on verified devices, also limits the more advanced attacks that pick up where a cracked password leaves off. It is the same architecture that keeps a single working login from becoming the on-ramp to a full ransomware attack.
Frequently asked questions
Is password spraying a type of brute force attack?
It is a variant of brute forcing, but a deliberately restrained one. Classic brute force throws many passwords at one account and triggers lockouts fast. Password spraying flips that, testing one common password across many accounts to stay under lockout thresholds. The goal is stealth, not speed.
Does MFA stop credential stuffing and password spraying?
Yes, MFA stops the large majority of both, because a correct password alone is no longer enough. It is the highest-impact single control. The caveat is that attackers now target the authentication flow itself through MFA fatigue, adversary-in-the-middle phishing, and stolen session cookies, so MFA works best as one layer alongside device posture and least-privilege access.
What is the difference between credential stuffing and a data breach?
A data breach is the original theft that exposes credentials. Credential stuffing is what attackers do with those credentials afterwards, replaying them against other services. The breach supplies the ammunition; the stuffing attack fires it at new targets, betting on reuse.
How do I know if my organisation is being sprayed?
Look horizontally rather than per account. A spray shows up as the same password or a small set of passwords attempted against many usernames in one window, often from a handful of sources, with very few failures per individual account. Login analytics that correlate across accounts catch it; per-user lockout counters do not.
Can these attacks succeed against accounts that already use strong passwords?
A strong, unique password defeats password spraying for that account and removes it from credential stuffing if it was never reused. The risk is that one weak or reused account is enough for the attacker, and you rarely know which one it is. Identity-based access limits the damage when, not if, one slips through.
Both attacks are bets on weak or reused passwords, and the way to lose the bet for them is to stop letting a password decide access on its own. Ready to see how least-privilege, identity-based access holds up against a cracked credential? Book a Jimber demo and walk through it with the team.