GCIH · Question #797
What password attack uses a stolen password breach list?
The correct answer is A. Credential Stuffing. Credential stuffing is the specific attack technique that uses stolen username and password pairs from prior data breach dumps to attempt unauthorized access across multiple services.
Question
What password attack uses a stolen password breach list?
Options
- ACredential Stuffing
- BPass-the-Hash
- CDictionary Attack
- DMan-in-the-Middle
How the community answered
(55 responses)- A85% (47)
- B4% (2)
- C9% (5)
- D2% (1)
Why each option
Credential stuffing is the specific attack technique that uses stolen username and password pairs from prior data breach dumps to attempt unauthorized access across multiple services.
Credential stuffing relies on obtaining real, previously validated credential pairs from publicly leaked or purchased breach lists and then replaying them against other services to exploit password reuse. This distinguishes it from guessing-based attacks because the credentials are known to have been correct at least once, dramatically increasing success rates against accounts that reuse passwords.
Pass-the-Hash captures NTLM hash values from memory or the SAM database and replays the hash directly for authentication, rather than using plaintext passwords from a breach list.
A dictionary attack generates guesses from a wordlist of common passwords and phrases rather than using actual stolen credential pairs from a confirmed breach.
A Man-in-the-Middle attack intercepts live communications between two parties and does not involve replaying or testing stolen password lists against accounts.
Concept tested: Credential stuffing attack using stolen breach data
Source: https://owasp.org/www-community/attacks/Credential_stuffing
Topics
Community Discussion
No community discussion yet for this question.