What is password spraying or credential stuffing?

Password spraying tries common passwords against many accounts. Rather than brute-forcing one account, attackers try "Password123" against thousands of accounts. Low attempts per account evade lockout protections.

Credential stuffing uses breach-sourced username/password pairs. When databases leak, attackers try those credentials across other services. Password reuse means breach at one service compromises accounts everywhere.

Defense: unique passwords per service (password managers help), MFA blocking compromised credentials, account lockout policies, and monitoring for distributed login attempts.