LawyersPages.com
| Home / Blog
What is Credential Stuffing?

What is Credential Stuffing?

Category:
Posted by-LawyersPages™, a Computerlog® LLC Company
Member Since-29 Dec 2015

What is Credential Stuffing?

 

Credential stuffing is a cyberattack technique in which attackers use compromised user credentials to gain access to a system. This attack relies on bots to automate and scale. It assumes that users reuse usernames or passwords across many services. Statistics show that only 0.1% of compromised credentials will be successful in logging into another service.

Credential stuffing refers to the automated injection of stolen username-password pairs ("credentials") into website login forms in order to fraudulently gain user accounts.

Many users will reuse the same passwords and usernames/emails, so if those credentials are exposed (by either a database breach, phishing attack, etc.), submitting these stolen credentials to dozens or hundreds more sites can enable an attacker to compromise those accounts as well.

Credential Stuffing can be considered a subset within the brute force attack category. Brute forcing attempts to guess passwords for multiple accounts. Credential Stuffing is the practice of using known password/username pairs against other websites.

 

 

Credential stuffing is a growing threat vector due to two reasons:

 

  • The wide availability of large databases of breach credentials, such as "Collection #1-5", made 22 million username and password combinations available in plaintext for the hacker community.
  • Advanced bots can simultaneously attempt multiple logins and appear to be coming from different IP addresses. These bots are often able to bypass simple security measures such as banning IP addresses that have too many failed logins.

 

Credential Stuffing vs Brute Force Attacks

 

Credential stuffing can be described as a brute-force attack. However, there are important differences.

  • Brute force attacks attempt to guess credentials without context. They use random strings, common password patterns, or dictionaries of commonly used phrases.
  • If users pick simple passwords that are easy to guess, brute force attacks will succeed.
  • Brute force attacks are unable to access content or data from past breaches. Therefore, their login success rate can be much lower.

 

With basic security features in place, brute-force attacks are unlikely to succeed in modern web applications. Credential stuffing attacks, however, can succeed. This is because even though strong passwords are enforced, users can share them across services, resulting in a compromise.

 

How Credential Stuffing Attacks Works

 

This is an example of an attacker who attempted to commit large-scale credential stuffing attacks. The attacker:

You can set up a bot to be able to log in to multiple accounts simultaneously and pretend to have different IP addresses.

This automated tool checks if stolen credentials are working on multiple websites. The process can be run in parallel across multiple websites, which reduces the need to log into one service repeatedly.

Monitors successful logins and obtains credit cards, personally identifiable information, or any other valuable data from compromised accounts.

Keeps account information for future references, such as for phishing attacks and other transactions that were enabled by the compromised service.

Example of Credential stuffing attack

Credential Stuffing Prevention

These measures will help protect your website against credential stuffing attacks.

 

Multi-Factor Authentication (MFA)

 

Credential stuffing can be prevented by requiring users to authenticate using something they already have. Attack bots won't be able to provide physical authentication methods, such as access tokens or mobile phones. Multi-factor authentication is often not possible for all users. It can be combined with other technologies, such as device fingerprinting or MFA.

 

Use a CAPTCHA

 

CAPTCHA requires users to take any action to prove their identity. This can decrease credential stuffing's effectiveness. Hackers can bypass CAPTCHA using headless browsers. CAPTCHA, like MFA, can be combined with other methods to only apply in certain situations.

Device FingerprintingYou has the option to use JavaScript to gather information about your devices and create a "fingerprint for each session." A fingerprint is made up of parameters such as operating system, language and browser. It can also include user agent and time zone. It is possible to use brute force or credential stuffing attacks if the same combination of parameters is used multiple times.

You can use strict fingerprints with multiple parameters to enforce harsher measures like banning IP addresses. You can combine 2-3 common parameters to capture more attacks. However, this will allow you to enforce milder measures such as a temporary ban. An Operating System + Geolocation + language is a common combination of fingerprints.

 

 

IP Blacklisting

An attacker will usually have a small number of IP addresses. Therefore, blocking or sandboxing IPs that try to log in to multiple accounts is a good defence. To reduce false positives, you can track the IP addresses that have been used for logging in to a particular account and compare them with the suspect bad IP.

 

Rate-Limit Non-Residential Traffic Sources

It is easy for you to recognize traffic coming from Amazon Web Services and other commercial data centres. This traffic is almost certain to be bot traffic and should be treated with much greater care than normal user traffic. Set strict rates and ban or block IPs that exhibit suspicious behaviour.

 

Block Headless browsers

PhantomJS is a headless browser that can easily be identified by the JavaScript commands they use. Block access to headless web browsers as they aren't legitimate users and almost certainly display suspicious behaviour.

Credential stuffing is when the same usernames and account IDs are used across multiple services. If the ID is an email address, this is more likely to occur. You can dramatically reduce the chances of users using the same username/password pair by preventing them from using their email address for an account ID.

 

Learn how Imperva Bot Administration can assist you with credential stuffing.

Imperva Bot Management Solution

Imperva's bot management solution is the industry leader and implements all of the best practices to protect against malicious robots. It also adds an automated security layer to protect against credential stuffing and ticketing as well as other automated attacks via malicious bots.

Imperva offers malicious bot protection and multi-layered protection to ensure websites and apps are safe, accessible, and easily accessible. Imperva includes

DDoS protection - Maintain uptime in all circumstances. Stop any DDoS attack of any size from preventing your website and network infrastructure access.

CDN - Enhance website performance and lower bandwidth costs by using a CDN that is specifically designed for developers. Accelerate APIs and dynamic websites by caching static resources at the edge.

WAF--Cloud-based solution allows legitimate traffic and prevents traffic from being blocked. This protects applications at the edge. Gateway WAF protects applications and APIs within your network.

API Safety - Protects APIs by ensuring that only the desired traffic can access your API endpoint. Also, detects and blocks exploits of vulnerabilities.

Account takeover Protection--uses intent-based detection to detect and protect against attempts to seize user accounts for malicious purposes.

RASP - Keep your applications protected from the inside against known and unknown zero-day threats. Protect your applications quickly and accurately with no learning or signature.

How to avoid credential stuffing

How users can avoid credential stuffing

Credential stuffing can be easily defended from the user's perspective. A password manager is a great way to ensure that users use unique passwords for every service. Credential stuffing won't work against accounts if they use unique passwords. Users are advised to enable two-factor authentication whenever possible.

How can companies prevent credential stuffing?

Companies that provide authentication services face a greater challenge in stopping credential stuffing. Credential stuffing is caused by data breaches at other businesses. Credential stuffing does not mean that security has been compromised for a company that is the victim of a credential-stuffing attack.

Although a company may suggest that users use unique passwords, it cannot enforce this rule. While some applications will check a submitted password against a list of known compromised passwords, this is not foolproof. The user might be using a password that was stolen from another service.

 

Credential stuffing can be mitigated by adding additional login security features. Malicious bots can be stopped by enabling two-factor authentication and requiring users to fill out captchas while logging in. Although both of these features can be annoying, users will agree that they help to reduce the security risk.

A bot management service is the best protection against credential stuffing. Bot management makes it possible to prevent malicious bots from attempting to log in without affecting legitimate logins. Cloudflare bot Management collects data from 25,000,000 requests per second through Cloudflare and can identify and block credential-stuffing robots. Smaller organizations can now take advantage of Super Bot Fight Mode to increase visibility and control their bot traffic.

 

Credential stuffing is a cyberattack technique in which attackers use compromised user credentials to gain access to a system. This attack relies on bots to automate and scale. It assumes that users reuse usernames or passwords across many services. Statistics show that only 0.1% of compromised credentials will be successful in logging into another service.

 

Credential stuffing refers to the automated injection of stolen username-password pairs ("credentials") into website login forms in order to fraudulently gain user accounts.

Many users will reuse the same passwords and usernames/emails, so if those credentials are exposed (by either a database breach, phishing attack, etc.), submitting these stolen credentials to dozens or hundreds more sites can enable an attacker to compromise those accounts as well.

Credential Stuffing can be considered a subset within the brute force attack category. Brute forcing attempts to guess passwords for multiple accounts. Credential Stuffing is the practice of using known password/username pairs against other websites.

 

Credential stuffing is a growing threat vector due to two reasons:

  • The wide availability of large databases of breach credentials, such as "Collection #1-5", made 22 million username and password combinations available in plaintext for the hacker community.
  • Advanced bots can simultaneously attempt multiple logins and appear to be coming from different IP addresses. These bots are often able to bypass simple security measures such as banning IP addresses that have too many failed logins.

 

Credential Stuffing vs Brute Force Attacks

Credential stuffing can be described as a brute-force attack. However, there are important differences.

  • Brute force attacks attempt to guess credentials without context. They use random strings, common password patterns, or dictionaries of commonly used phrases.
  • If users pick simple passwords that are easy to guess, brute force attacks will succeed.
  • Brute force attacks are unable to access content or data from past breaches. Therefore, their login success rate can be much lower.

With basic security features in place, brute-force attacks are unlikely to succeed in modern web applications. Credential stuffing attacks, however, can succeed. This is because even though strong passwords are enforced, users can share them across services, resulting in a compromise.

 

How Credential Stuffing Attacks Works

This is an example of an attacker who attempted to commit large-scale credential stuffing attacks. The attacker:

You can set up a bot to be able to log in to multiple accounts simultaneously and pretend to have different IP addresses.

This automated tool checks if stolen credentials are working on multiple websites. The process can be run in parallel across multiple websites, which reduces the need to log into one service repeatedly.

Monitors successful logins and obtains credit cards, personally identifiable information, or any other valuable data from compromised accounts.

 

Keeps account information for future references, such as for phishing attacks and other transactions that were enabled by the compromised service.

 

Example of Credential stuffing attack

 

Credential Stuffing Prevention

These measures will help protect your website against credential stuffing attacks.

Multi-Factor Authentication (MFA)

Credential stuffing can be prevented by requiring users to authenticate using something they already have. Attack bots won't be able to provide physical authentication methods, such as access tokens or mobile phones. Multi-factor authentication is often not possible for all users. It can be combined with other technologies, such as device fingerprinting or MFA.

 

Use a CAPTCHA

CAPTCHA requires users to take any action to prove their identity. This can decrease credential stuffing's effectiveness. Hackers can bypass CAPTCHA using headless browsers. CAPTCHA, like MFA, can be combined with other methods to only apply in certain situations.

Device FingerprintingYou has the option to use JavaScript to gather information about your devices and create a "fingerprint for each session." A fingerprint is made up of parameters such as operating system, language and browser. It can also include user agent and time zone. It is possible to use brute force or credential stuffing attacks if the same combination of parameters is used multiple times.

You can use strict fingerprints with multiple parameters to enforce harsher measures like banning IP addresses. You can combine 2-3 common parameters to capture more attacks. However, this will allow you to enforce milder measures such as a temporary ban. An Operating System + Geolocation + language is a common combination of fingerprints.

IP Blacklisting

An attacker will usually have a small number of IP addresses. Therefore, blocking or sandboxing IPs that try to log in to multiple accounts is a good defence. To reduce false positives, you can track the IP addresses that have been used for logging in to a particular account and compare them with the suspect bad IP.

Rate-Limit Non-Residential Traffic Sources

It is easy for you to recognize traffic coming from Amazon Web Services and other commercial data centres. This traffic is almost certain to be bot traffic and should be treated with much greater care than normal user traffic. Set strict rates and ban or block IPs that exhibit suspicious behaviour.

 

Block Headless browsers

PhantomJS is a headless browser that can easily be identified by the JavaScript commands they use. Block access to headless web browsers as they aren't legitimate users and almost certainly display suspicious behaviour.

Credential stuffing is when the same usernames and account IDs are used across multiple services. If the ID is an email address, this is more likely to occur. You can dramatically reduce the chances of users using the same username/password pair by preventing them from using their email address for an account ID.

Learn how Imperva Bot Administration can assist you with credential stuffing.

Imperva Bot Management Solution

Imperva's bot management solution is the industry leader and implements all of the best practices to protect against malicious robots. It also adds an automated security layer to protect against credential stuffing and ticketing as well as other automated attacks via malicious bots.

Imperva offers malicious bot protection and multi-layered protection to ensure websites and apps are safe, accessible, and easily accessible. Imperva includes

DDoS protection - Maintain uptime in all circumstances. Stop any DDoS attack of any size from preventing your website and network infrastructure access.

CDN - Enhance website performance and lower bandwidth costs by using a CDN that is specifically designed for developers. Accelerate APIs and dynamic websites by caching static resources at the edge.

WAF--Cloud-based solution allows legitimate traffic and prevents traffic from being blocked. This protects applications at the edge. Gateway WAF protects applications and APIs within your network.

API Safety - Protects APIs by ensuring that only the desired traffic can access your API endpoint. Also, detects and blocks exploits of vulnerabilities.

Account takeover Protection--uses intent-based detection to detect and protect against attempts to seize user accounts for malicious purposes.

RASP - Keep your applications protected from the inside against known and unknown zero-day threats. Protect your applications quickly and accurately with no learning or signature.

How to avoid credential stuffing

How users can avoid credential stuffing

Credential stuffing can be easily defended from the user's perspective. A password manager is a great way to ensure that users use unique passwords for every service. Credential stuffing won't work against accounts if they use unique passwords. Users are advised to enable two-factor authentication whenever possible.

How can companies prevent credential stuffing?

Companies that provide authentication services face a greater challenge in stopping credential stuffing. Credential stuffing is caused by data breaches at other businesses. Credential stuffing does not mean that security has been compromised for a company that is the victim of a credential-stuffing attack.

Although a company may suggest that users use unique passwords, it cannot enforce this rule. While some applications will check a submitted password against a list of known compromised passwords, this is not foolproof. The user might be using a password that was stolen from another service.

Credential stuffing can be mitigated by adding additional login security features. Malicious bots can be stopped by enabling two-factor authentication and requiring users to fill out captchas while logging in. Although both of these features can be annoying, users will agree that they help to reduce the security risk.

A bot management service is the best protection against credential stuffing. Bot management makes it possible to prevent malicious bots from attempting to log in without affecting legitimate logins. Cloudflare bot Management collects data from 25,000,000 requests per second through Cloudflare and can identify and block credential-stuffing robots. Smaller organizations can now take advantage of Super Bot Fight Mode to increase visibility and control their bot traffic.

 

 

Share