Brute Force vs Credential Stuffingvs Password Spraying
If you read three security blogs you will see these three terms used as if they mean the same thing. They do not. Each attack guesses passwords in a different pattern, and that pattern decides which defence actually stops it. Pick the wrong defence and you can feel protected while the attack walks straight past you. This guide compares all three in plain language, shows the exact difference with a table, and points you to the control that matters for each one.
What Is the Difference Between Brute Force, Credential Stuffing, and Password Spraying?
The short version: brute force guesses, credential stuffing reuses, and password spraying spreads. Everything else follows from that one idea.
| Attack | What It Tries | How It Spreads | Main Defence |
|---|---|---|---|
| Brute Force | Many password guesses against one account | High volume, one target at a time | Account lockout and per-account rate limiting |
| Credential Stuffing | Real leaked username and password pairs | One attempt per stolen pair, across many accounts | Breached-password blocking, MFA, bot detection |
| Password Spraying | A few common passwords against many accounts | One password across many usernames, low and slow | Global and per-IP rate limiting, MFA |
Notice that account lockout only appears in the first row. That is the single most important point in this whole guide. Lockout counts failures per account, so it stops the attack that hammers one account. Stuffing and spraying both make very few attempts per account on purpose, so lockout never triggers. This is why so many teams that added lockout still suffer account takeover.
How Does a Brute Force Attack Work?
A brute force attack picks one account and tries password after password until it finds the right one or runs out of guesses. Modern brute force is rarely truly random. Attackers use wordlists of common passwords and rules that add numbers and symbols, so the guessing is smart rather than exhaustive. Because all the failures land on a single account, this is the easiest attack to detect and block: a per-account lockout after a handful of failures stops it cold. Read the full defence guide in brute force attack prevention.
# Brute force: one account, many guesses
alice : password1
alice : password123
alice : Summer2026! -> account locks after N tries
How Does Credential Stuffing Work?
Credential stuffing does not guess at all. The attacker starts with billions of real username and password pairs leaked from past breaches of other websites, then replays them against your login page. It works because people reuse passwords: an email and password that leaked from an old forum is very likely to unlock the same person's account on your site. Each pair is usually tried once, so there is no burst of failures on any single account for lockout to catch. The defences are blocking passwords that appear in breach corpora, adding MFA, and detecting the automation. See credential stuffing prevention for the full playbook.
How Does Password Spraying Work?
Password spraying flips brute force around. Instead of many passwords against one account, the attacker takes one common password, such as Winter2026!, and tries it against thousands of usernames, then waits and tries the next password. In any large user base a small fraction of people will have chosen that exact password, so a single spray yields a handful of working logins. Each account only ever sees one or two failures, so lockout stays silent. The defences are global rate limiting across all accounts, breached-password blocking, and MFA. Full detail in password spraying prevention.
Which Defence Stops Which Attack?
This table maps each control to the attacks it actually blocks. A checkmark means the control is effective on its own against that attack. A partial mark means it helps but is not enough alone.
| Defence | Brute Force | Credential Stuffing | Password Spraying |
|---|---|---|---|
| Per-account lockout | Yes | No | No |
| Global and per-IP rate limiting | Yes | Partial | Yes |
| Breached-password blocking | Partial | Yes | Yes |
| Multi-factor authentication | Yes | Yes | Yes |
The pattern is clear: multi-factor authentication is the only control that stops all three, because a stolen or guessed password alone never completes the login. That is why MFA is the highest-value control you can add to any login page. Rate limiting and breached-password blocking then reduce the noise and stop the automation before it reaches the second factor.
How Do You Defend Against All Three at Once?
- 1Enforce multi-factor authentication for all users. It is the one control that stops brute force, stuffing, and spraying together.
- 2Add global and per-IP rate limiting on top of per-account lockout, so attacks that spread across accounts still hit a ceiling.
- 3Block breached and common passwords at signup and password change using the HaveIBeenPwned Pwned Passwords API.
- 4Log every authentication failure with the username, source IP, and timestamp so you can spot spraying across many accounts.
- 5Alert when many distinct usernames fail from one IP or subnet, which is the signature of spraying and stuffing.
- 6Store passwords with a slow, salted hash such as bcrypt or Argon2 so a breach of your own database cannot be reversed.
- 7Offer passwordless login where you can, which removes guessable passwords from the attack surface entirely.
What Does OWASP Say About These Attacks?
OWASP groups all three under automated threats to authentication and covers them in the Authentication and Credential Stuffing Prevention Cheat Sheets and the ASVS 5.0 authentication controls. The recurring advice is the same across all three: block breached and common passwords, rate limit authentication endpoints, log every failure, and offer multi-factor authentication. OWASP explicitly warns that per-account lockout is not enough on its own, because credential stuffing and password spraying are designed to distribute attempts and stay beneath it.