ShieldLabs
Back to blog

Brute force vs credential stuffing vs password spraying: how they differ, and how to detect each

Brute force vs credential stuffing vs password spraying: three password attacks that all look like failed logins, separated by what the attacker already knows

Last updated on July 12, 2026 · 10 min read

To your login endpoint, brute force, credential stuffing, and password spraying all look the same: a wave of failed sign-ins. What separates them is what the attacker already knows before the first attempt, and that single difference decides which defense actually works. Credential stuffing is the one to worry about most, because the passwords are real: in 2024, Akamai counted credential-stuffing attempts in the tens of billions in a single month, and even a fraction-of-a-percent success rate on that volume is a lot of taken-over accounts. The reason those pairs are worth replaying is that they keep working: the 2025 Verizon Data Breach Investigations Report found stolen credentials behind 88 percent of breaches that involved basic web application attacks. This guide draws the line between the three, and explains how detection differs for each.

Key takeaways

  • The three attacks differ by what the attacker knows: brute force guesses passwords blindly, credential stuffing replays real username-and-password pairs leaked elsewhere, and password spraying tries a few common passwords across many accounts.
  • Credential stuffing is the dangerous one, because the credentials are valid. It is best understood as a targeted subset of brute force that trades blind guessing for known, breached logins.
  • They also dodge defenses differently. Brute force and spraying are paced to avoid lockouts and rate limits; credential stuffing distributes valid-looking logins across many IPs to look like ordinary traffic.
  • Detection differs accordingly: rate limits and lockouts blunt brute force and spraying, but credential stuffing slips past them, so the device and network behind the attempts become the more reliable read.
  • This is the engine behind most account takeover. The defense is layered: your auth stack handles lockouts and MFA, and a device-and-network signal tells which logins are one actor in disguise.

The three attacks at a glance

All three are automated attacks on a login, but they start from different knowledge and behave differently once they hit your endpoint. The quick comparison:

Brute forceCredential stuffingPassword spraying
What the attacker hasnothing but a target accountreal username-and-password pairs from a breacha list of accounts and a few common passwords
What they trymany password guesses against one accounteach leaked pair once, against the matching accountone common password across many accounts, then the next
How they dodge defensesbrute volume, until lockout stops themvalid-looking logins spread across many IPslow-and-slow, a few tries per account to avoid lockout
Typical success ratevery lowlow but worthwhile at scale, because the pairs are reallow, but spread wide enough to land some
The giveawaya burst of failures against one accountmany accounts touched once each from rotating IPsthe same password tried across unrelated accounts

The throughline: brute force is loud and aimed at one account, credential stuffing is quiet and spread across many, and password spraying sits between them, wide but shallow to stay under the lockout threshold.

What is brute force?

A brute-force attack tries to guess a password by sheer repetition, working through candidate passwords against an account until one succeeds or the account locks. A pure version tries every combination; a dictionary attack narrows it to likely words and common passwords. The defining trait is that the attacker starts with no knowledge of the real password, so the attack is loud: many attempts against a single account in a short window. That noise is also its weakness, because a rate limit or an account lockout after a handful of failures stops it cheaply.

What is credential stuffing?

Credential stuffing skips the guessing. The attacker takes username-and-password pairs leaked in one service's breach and replays them against other services, betting on the fact that people reuse passwords. It is best understood as a targeted subset of brute force: instead of guessing blindly, it submits credentials that are already real, just borrowed from somewhere else. The OWASP definition frames it the same way, as the automated injection of breached pairs to gain access.

Two things make it the most dangerous of the three. First, the passwords work, so the success rate, while low per attempt, pays off at scale. Second, each pair is tried only once or twice against any given account, and the attempts are spread across thousands of IP addresses, so the activity looks like a trickle of ordinary failed logins rather than an attack on one account. That is exactly why a per-account lockout, the cheap defense against brute force, barely touches it.

What is password spraying?

Password spraying inverts brute force. Instead of many passwords against one account, it tries one common password, like a season-and-year or a default, against many accounts, then waits and tries the next password. By keeping the attempts per account low, it stays under the lockout threshold that would stop a brute-force run. It is the patient attack: wide, shallow, and slow, designed to find the handful of accounts using a weak password without ever tripping a single account's defenses. The related search "credential stuffing vs spraying" exists because the two are easy to confuse, but the difference is clean: spraying guesses common passwords, while stuffing replays known leaked ones.

How they differ, and why it matters for defense

The practical difference is in what stops each one. Brute force and password spraying both rely on guessing, so controls that limit guesses, rate limits, account lockouts, and strong password requirements, take most of their power away. Credential stuffing does not guess, so those controls miss it: the credentials are valid and the volume per account is low, which is why it sails past a lockout that would have killed a brute-force run.

That is the reason the three need different reads. For brute force and spraying, the pattern is in the attempts themselves: too many against one account, or one password across many accounts. For credential stuffing, the attempts look individually normal, so the signal moves to who is behind them, the device and the connection driving a run that is spread across accounts and IPs to look ordinary.

How to detect each

Detection follows the attack. The reads that work:

  • Brute force. Watch for a burst of failed logins against a single account in a short window, and apply a rate limit or a temporary lockout. The volume against one target is the tell.
  • Password spraying. Look across accounts, not within one: the same password failing against many unrelated accounts, or a low, steady rate of failures spread wide, is the pattern a per-account view misses.
  • Credential stuffing. Because the logins look valid and are distributed, the reliable read is the device and connection behind them. A stuffing run rotates IPs, but the machine driving the attempts is more stable, so a device seen touching many accounts, often behind a VPN or proxy, ties the distributed attempts back to one actor.

The common thread for the automated, distributed attacks is that the IP is disposable and the device is not. When attempts come from a botnet or a proxy pool, the source address changes constantly, so reading the device underneath is what links a thousand "separate" logins into one campaign. The goal of this read on the device and network of each attempt is to recognize the same actor across logins, so your own controls can act on it.

We ran that read against distributed login traffic, and the split held: the source address changed on nearly every attempt while the device driving them stayed recognizable, which is what let a run scattered across thousands of addresses trace back to a handful of machines. The address churns because it is cheap and disposable; the device is not. That asymmetry only widened in 2022, when Chrome began reducing the user-agent string and moving device detail into structured client hints, leaving the easily forged surface of a request thinner than the layers underneath it.

Is credential stuffing illegal?

Yes. Using someone else's credentials to access an account without authorization is illegal in most jurisdictions, including under computer-misuse laws like the Computer Fraud and Abuse Act in the United States, and trafficking in stolen credentials is its own offense. The legality is not really the open question for a defender, though. Stolen pairs are bought and replayed regardless of the law, so the practical job is detection and response, not deterrence through legal risk.

Preventing credential stuffing with ShieldLabs

ShieldLabs supplies the device-and-network read that the distributed attacks rely on hiding. You add one JavaScript snippet to your login, and each attempt returns a risk score from 0 to 100 with the named signals behind it: whether the device has been seen attempting other accounts, whether the connection carries anonymity signals like a VPN, proxy, or Tor exit, and whether the session fits the spread-across-accounts shape that its pre-built patterns surface in the dashboard. A stuffing or spraying run that looks like a trickle of normal failures resolves into one actor working a list.

What ShieldLabs adds is the read those controls lack: it scores the session, device, and network on a 0 to 100 risk score and names the anonymity signals that fired, so the distributed, valid-looking logins that trace back to one device become visible. The lockouts and rate limits that blunt brute force, and the MFA that backs up a risky login, stay in your authentication stack where they belong, and your own code owns the action. You read the risk score and named anonymity signals through the API and webhooks and decide, by your own rules, whether to step up, hold, or allow. This is the same signal layer behind account takeover detection and account takeover prevention, since credential stuffing is the engine behind most takeovers.

Sources

  1. OWASP: Credential Stuffing
  2. Akamai: The State of Apps and API Security, 2024
  3. Verizon: 2025 Data Breach Investigations Report (2025)
  4. Wikipedia: Credential stuffing
  5. Wikipedia: Brute-force attack

Frequently asked questions

What is the difference between brute force and credential stuffing?
Brute force guesses passwords, working through many candidates against one account until something succeeds or the account locks. Credential stuffing does not guess: it replays real username-and-password pairs leaked in a breach, betting that people reuse passwords across sites. Brute force is loud and aimed at one account, so a lockout stops it; credential stuffing is quiet, spread across many accounts from rotating IPs, so a lockout barely touches it.
What is password spraying?
Password spraying tries one common password, like a season and year or a default, against many accounts, then moves to the next password. By keeping the attempts per account low, it stays under the lockout threshold that would stop a brute-force attack. It is the wide-and-shallow opposite of brute force, which is narrow and deep against a single account.
Is credential stuffing illegal?
Yes. Accessing an account with credentials you are not authorized to use is illegal in most places, including under computer-misuse laws such as the Computer Fraud and Abuse Act in the United States, and dealing in stolen credentials is a separate offense. For a defender, though, the legality is beside the point: stolen pairs get replayed regardless, so the practical work is detecting and responding to the attempts.
How do you detect credential stuffing?
Because the logins use valid credentials and are spread across many accounts and IPs, per-account rules like lockouts miss them. The reliable read is the device and connection behind the attempts: a stuffing run rotates IPs, but the device driving it is more stable, so a device seen touching many accounts, often behind a VPN or proxy, ties the distributed attempts back to one actor. It is weighed into a risk score rather than acted on as a single fact.
Does ShieldLabs stop credential stuffing?
No, not on its own. ShieldLabs is the detection layer: it scores the device and network behind each login and names the evidence, then hands the result to you. The rate limits, lockouts, and MFA that act on the attempt stay in your authentication stack, and your own rules decide what a risky login earns. It complements those controls by telling you which distributed logins are one actor, and the free tier covers your first 5,000 identifications.

Related articles