Protect against password spraying


Auth & identity

July 18, 2022

Author: Stytch Team

Despite its many benefits, digital transformation introduces numerous security challenges. Sensitive data stored in the cloud is especially susceptible to attacks. Cybercriminals use several approaches to gain unauthorized access to such data. Password spraying is one of the most effective, threatening approaches. While sometimes confused with credential stuffing, password spraying represents a different attack vector targeted at passwords’ weaknesses.

In this blog post, we’ll explain password spraying, how it’s different from credential stuffing, and how you can protect against this kind of attack.

Password spraying explained

A brute force attack is a cyberattack where a hacker tries to access a secure account through trial and error, repeatedly entering random credentials like passwords until one works. Password spraying is a type of brute force attack. However, instead of trying a large number of passwords against a targeted account, this attack uses the same password against many accounts simultaneously.

Most authentication systems are programmed to prevent brute force attacks by locking out the account after entering the wrong password three times. Password spraying tries to bypass this defense technique by only using common passwords and spraying them across a wide range of different user accounts. 

For educational purposes, Nordpass publishes an annual list of the 200 most commonly used passwords. Unfortunately, attackers can also use this list in their password spraying attempts.

Password spraying vs. credential stuffing

While password spraying is often used interchangeably with credential stuffing, there’s a key difference. In a credential stuffing attack, attackers use known compromised usernames and passwords (often exposed in large data leaks), to gain access to user accounts by testing these known credentials on different services to see if passwords have been re-used. This enables attackers to access multiple accounts belonging to the same user. 

Password spraying, on the other hand, does not assume to know a particular users’ compromised credentials. Instead, it targets the fact that humans are predictable, commonly using passwords like “Password123” or “P@assword1” or “Qwerty123.” To take advantage of this predictability, password spraying involves a brute force attack where the attacker tests a predictable password against a large number of presumed or known usernames for a site. Many websites have strict individual account rate limits (e.g. you can only submit the incorrect password 5 times before locking the account) but may not protect against the loophole exploited by password spraying attempts (human predictability), which can make it effective. 

While we can prevent traditional brute force attacks by configuring authentication systems to limit the number of password attempts, the best method for preventing password spraying is to move to more modern password solutions or passwordless solutions. This is where Stytch excels.

Protect against password spraying with Stytch

Password spraying relies on guessing the target user’s password. An authentication mechanism that doesn’t use traditional passwords can prevent these attacks altogether but so can an elegant password-based authentication design. In Stytch’s Passwords product, we use the zxcvbn strength estimator, which helps users to create higher entropy passwords that are better protected against password spraying attacks.

Get started with Stytch

As data breaches become more common, the threat of password spraying persists. Fortunately, Stytch’s Passwords product and passwordless solutions remove these threats to keep your users and application secure. Learn more about our flexible, modular authentication solutions and get started with Stytch today.


Get started with Stytch