Skip to content

Distinguish credential stuffing from password spraying, including how each appears in logs.

Short answer

Credential stuffing replays known username:password pairs from third-party breaches, betting on password reuse — high success rate per attempt, often distributed across many IPs and devices to look human. Password spraying tries one or two common passwords (like Winter2026!) across many accounts to stay under lockout thresholds. Stuffing exploits reuse; spraying exploits weak shared passwords. MFA defeats both.

Both attacks aim at account takeover through authentication, but they exploit different weaknesses and leave different fingerprints. Interviewers ask this to see whether you reason about attacker economics and detection signals, not just "lots of failed logins."

Credential stuffing

The attacker starts with valid username:password pairs harvested from someone else's breach (the combolists circulating from past dumps). They replay them against your service, betting that users reuse passwords. Because the pairs are real elsewhere, the success rate per attempt is far higher than guessing. Sophisticated campaigns run through botnets, residential proxies, and rotated user agents, so each login looks like a normal, individually valid attempt — which is exactly what makes it hard to catch.

Password spraying

Here the attacker has usernames but not the passwords, so they guess. To avoid tripping account lockout, they try just one or two very common passwords (Winter2026!, Password1) against a large list of accounts, then wait before the next round. Each account sees only a failure or two, so naive "N failures = alert" rules miss it. The signal is breadth: many distinct accounts failing the same password from the same source over time.

Detection and defense

For spraying, count distinct accounts targeted per source in a window. For stuffing, look for impossible velocity, sudden spikes in login volume, atypical device/geo for an account, and elevated success rates from new infrastructure; breached-password and bot-detection services help. The single most effective control for both is MFA, backed by blocking known-breached passwords and rate limiting.

Why this matters

A strong answer pins the root cause of each — reuse vs weak shared passwords — names the differing log shapes, and lands on MFA plus credential-hygiene controls. That shows you defend at the cause, not just the symptom.

Likely follow-ups

  • Why does distributing credential stuffing across many IPs make it hard to detect?
  • What single control most reduces the impact of both attacks?
  • How would you spot credential stuffing if each login looks individually valid?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.