Ready to Start Your Career?

Credential Stuffing vs. Brute Force: What's The Difference?

Joe Pettit's profile image

By: Joe Pettit

October 29, 2021

Password compromise remains a primary method by which malicious actors gain access to applications, systems, and networks. Cybercriminals deploy a range of techniques to crack passwords, some of which are technical while others don't require any technical skillset. This article defines and compares two of the most used password hacking techniques—credential-stuffing and brute-force attacks.

Password Compromise: A Perennial Security Problem

A surprising number of high-profile cyberattacks start with compromising username-password credentials. Once threat actors gain access to one service, application, or system on your network using compromised credentials, they can typically achieve their goal, which often means stealing sensitive data or locking down key systems with ransomware.

The statistics show that compromised passwords are the cause of 61 percent of data breaches. These data breaches stem from hackers actively deploying various methods to guess or crack user passwords. The best type of password to compromise belongs to a user with a privileged application, system, or network access. These accounts provide widespread access to a greater number of resources and administrative capabilities.

Cryptographic algorithms protect passwords by encrypting them. Attempts to compromise cryptographic algorithms and ciphers stretch back to at least 800 AD when an Arab mathematician named Al-Kindi published a book on deciphering cryptographic messages.

The method for stealing a password doesn't have to be as complex as breaking the encryption method used for storing passwords, though. Many users create easily guessable passwords. The four most common passwords in 2021 were:

  1. 123456
  2. 123456789
  3. qwerty
  4. password

Poor password hygiene provides threat actors with many methods for guessing, cracking, or stealing those passwords.

What is Credential Stuffing?

Credential stuffing is a password hacking technique in which threat actors attempt to breach a system using lists of compromised credentials. According to Salt Security's definition of credential stuffing, this attack technique "exploits the tendency of users to reuse their credentials across multiple services and applications."

It's straightforward for pretty much anyone to find lists of compromised passwords online. Dark web forums contain many such lists from previous data breaches and system exploits. Threat actors can target a particular system or application with many login attempts using these lists of compromised user credentials.

To make the process more efficient, hackers automate credential stuffing attacks using bots. These bots can attempt logins from many IP addresses to avoid suspicion and getting blocked because of continually logging in from the same IP. Credential-stuffing attacks are particularly easy to disguise on systems or applications with large traffic flow volumes because it's more difficult to spot login anomalies on such services.

Credential stuffing is a growing problem due to the sheer volume of stolen credentials available online. One published list of stolen credentials, Collection #1, included more than 2.7 billion email-password pairs. Threat actors can easily reuse these published credentials in a credential-stuffing attack and attempt to access a target system. Credential stuffing attacks have a low success rate – however, that doesn't deter hackers because all it takes is one successful login to compromise a system.

What is a Brute-Force Password Attack?

A brute-force password attack is a trial and error method to guess user login credentials based on random strings, commonly used passwords and dictionaries of common password phrases. The hacker tries to test every possible combination to make up a password until they get the correct one. The nature of possible combinations is that as passwords increase in length, the time taken to guess the correct password grows exponentially.

Hackers get help in these endeavors from the many available free and paid tools that automate the process of conducting a brute-force attack.

Differences Between Credential-Stuffing and Brute-Force Attacks

  • Credential-stuffing attacks use lists of previously compromised passwords as a clue or context for guessing the correct password, while brute-force hacks attempt to guess the password using trial and error without any prior context.

  • Password length makes a difference in how long a brute-force attack takes, but it is not the time needed to conduct a successful credential-stuffing attack.

  • Credential-stuffing attacks exploit the tendency to reuse passwords and usernames across different accounts, while brute-force attacks exploit easily guessable passwords that use common phrases or have just a few characters.

Tips to Prevent Password Attacks

Remind users to always use longer, more complex passwords with a mixture of symbols, letters, upper and lower cases. Long, complex passwords are far more time-consuming to crack using brute-force methods than people commonly use simple passwords.

Require multi-factor authentication (MFA) to verify users before granting access to systems and applications. Credential-stuffing or brute-force hacks are far less likely to succeed if MFA is in place.

Put an identity and access management policy in place that locks users out of their accounts after a certain number of login attempts.

Inform employees and users regularly about what good password hygiene looks like and highlight the dangers of reusing passwords across multiple systems.

Avoid using email addresses as usernames/user IDs because hackers can easily guess them.

Behavioral analytics can highlight login anomalies and block suspicious IP addresses from logging in to services on your network.

Closing Thoughts

If organizations don't address the common flaws in their access controls and users remain unaware of what good password hygiene looks like, threat actors will continue to exploit compromised credentials and inflict potentially devastating consequences on businesses.

About the Author: Ronan Mahony is a freelance cybersecurity writer who likes breaking down complex ideas and solutions into engaging and easily digested articles. He graduated from University College Dublin in 2013 and currently works with Bora. In his spare time, Ronan enjoys hiking, solo travel, and cooking Thai food.

Schedule Demo
Build your Cybersecurity or IT Career
Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry