Password Attacks: Brute Force vs Credential Stuffing vs Spraying | AP Cybersecurity
Password Attacks Explained: Brute Force, Credential Stuffing & Password Spraying
A password attack tries to gain access by guessing or stealing credentials rather than tricking a person directly. Topic 1.2 asks you to identify the signs of a password attack and explain how adversaries exploit weak authentication.
Contents
How password attacks work
Brute force tries many passwords against one account until one works. Credential stuffing reuses username and password pairs leaked from other breaches, betting that people reuse passwords. Password spraying tries a few common passwords across many accounts to avoid lockouts.
All three exploit weak authentication: short or common passwords, reused passwords, and accounts with no rate limiting or multi-factor authentication (EK 1.2.B).
An account log shows dozens of failed logins in one minute from a single source, then one success. What is happening?
Reveal answer
A brute-force or stuffing attack. Rapid repeated failures followed by a success is the classic signature of automated password guessing.
Topic 1.2 questions show a login log or account-activity notice and ask you to identify the sign of a password attack. Look for failures, unfamiliar locations, or logins at impossible times.
Signs of a password attack
The framework wants you to recognize indicators (EK 1.2.A): a burst of failed logins, a successful login from an unfamiliar location or device, sign-ins at times the user is normally offline, and account changes the user did not make.
These signs map directly to the College Board Unit 1 scenario about reviewing account activity to detect unauthorized logins.
A student normally logs in on weekends and evenings, but the activity log shows a weekday-morning login from another country. What is the most likely explanation?
Reveal answer
An unauthorized login from a password attack. The unfamiliar time and location, against the user's normal pattern, are the key indicators.
Credential stuffing at scale
Billions of leaked username and password pairs circulate online, and attackers replay them across sites with automated tools. Accounts on streaming, retail, and food-delivery services are routinely taken over this way because people reuse passwords.
Defense: a unique password per site plus MFA.
Key Terms
| Brute force | Trying many passwords against one account until one works. |
| Credential stuffing | Reusing leaked username and password pairs across sites. |
| Password spraying | Trying a few common passwords across many accounts. |
| Weak authentication | Short, common, or reused passwords with no MFA, which attacks exploit. |
Match It Up
Common Mistakes
Confusing brute force with spraying
Brute force hammers one account with many passwords; spraying tries a few passwords across many accounts.
Thinking a strong password alone is enough
Reused strong passwords still fall to credential stuffing. Uniqueness and MFA matter too.
Ignoring location and timing signals
An unfamiliar location or an impossible-time login is a strong sign even without failed attempts.
Assuming lockouts always stop attackers
Password spraying is designed to stay under lockout thresholds.
Check for Understanding
Frequently Asked Questions
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]