As more aspects of daily life go digital, the importance of defending against threats to our personal information continues to grow. And though you might be familiar with common ones like brute force attacks—also known as credential cracking—credential stuffing differs in a few key ways.

This article will cover the basics of credential stuffing, its threat to businesses and individuals, and practical ways to deploy modern solutions against this particular attack vector.

Forceful fraud: Brute force attacks, credential stuffing and password spraying

It's important to distinguish between the methods behind traditional brute force attacks and their closely-related cousins, credential stuffing and password spraying, to know what to look for and how to defend against them.

Brute force vs. credential stuffing

While both brute force and credential stuffing attacks share a common goal of acquiring sensitive user information, the manner in which that information is obtained is fundamentally different.

• Credential stuffing uses previously stolen credentials, often obtained from large-scale data breaches, to gain unauthorized access to user accounts. Attackers automate the process of testing these credentials across multiple sites, banking on the unfortunate likelihood that users have reused passwords. This method can be highly targeted, focusing on specific user accounts or services, and is difficult to recognize because it involves valid login attempts that can easily trick security systems.
• Brute force attacks attempt to guess passwords indiscriminately by systematically trying different combinations of characters, numbers, and symbols until the correct password is found. Attackers use automated tools to generate and test thousands or even millions of potential passwords, often employing prescribed patterns or commonly used base password phrases. This method is less sophisticated than credential stuffing but can be equally effective against weak or poorly chosen passwords.

Password spraying

Password spraying is similarly indiscriminate: attackers will 'spray' stolen passwords from a database until they gain unauthorized access. Instead of targeting individual accounts with many password attempts, they attempt a small number of common passwords against a large number of accounts, thereby evading traditional lockout mechanisms and increasing the chances of compromising multiple accounts. This method often exploits weak password policies and user tendencies to use simple or common passwords across different platforms.

How does credential stuffing work?

As mentioned, credential stuffing is a type of cyberattack that takes advantage of compromised credentials such as usernames, email addresses, and passwords to access secure or sensitive information.

Here's how fraudsters make a credential stuffing attack work:

1. Attackers leverage stolen or breached credentials to set up automated attempts to log into multiple accounts, potentially gaining access to personal and financial information.
2. They then use automation tools to simultaneously log into multiple accounts and check for access to secondary services or accounts. This highlights the potential consequences and the difficulty of detecting such activity.

As noted, a credential stuffing attack differs from a brute force attack in that it doesn’t rely on random attempts to decode a password or username combination, instead relying on lists of username/password combinations acquired from data breaches. Lists can contain millions of these combinations, which hackers then attempt to “stuff” across different sites on a trial and error basis.

Each successful combination can then be used to access lucrative information such as bank accounts, payment applications, credit card numbers, etc., leading to a cascade of fraudulent activity.

How big of a threat is credential stuffing?

Credential stuffing might seem laborious, cumbersome, or not very effective due to its indiscriminate approach. But the perpetrators behind these types of attacks employ sophisticated programs and applications to optimize their efforts.

Unfortunately, AI and machine learning technologies have elevated the humble bots of the Eliza era to a superpower status never before witnessed in the realm of fraud. Now, using bots—which are software programs that specialize in performing repetitive, predefined tasks—malicious actors can try a multitude of password and username combinations against different services in rapid succession.

The resulting large data breaches often yield millions of credentials. Attackers often use these stolen credentials on multiple sites, leveraging botnets to automate the process and increase their chances of success. So, while the success rate for the above tactics is fairly low, the sheer amount of compromised data means that thousands of users can be affected. For example, the Android Users Data Breach in May 2021 compromised the personal data of over 100 million users spanning 23 app databases.

At the end of the day, digital account fraud is a numbers game that increasingly favors the hacker, with the majority of people reusing the same password and username combination across multiple services—up to 65 percent, in fact. Combine this with the reality that data breaches are becoming more common, and the threat of users’ personal data being compromised increases exponentially.

Bots: Stuffing's secret weapon

So what to do about it? To defend against potential credential stuffing attacks, users and developers alike first need to understand more about the bots that are essential to the process.

If you’ve ever been “timed out” or briefly locked out of a website or service after a series of incorrect logins, you’ll have some idea of the basic security in place to safeguard user data. These measures are designed to prevent excessive failed login attempts by identifying suspicious login attempts. This helps differentiate between types of attacks like brute force and credential stuffing.

However, bots can easily get around these countermeasures. They are capable of making multiple login attempts simultaneously and can mask these attempts so that they appear to come from different devices. In short, the system doesn’t flag the behavior as suspicious, and the bots are free to continue trying for viable username and password combinations.

The humble IP address is a common tool used by bots that deploy fake IP addresses to mask their login attempts, making it harder for security systems to detect malicious activity. Blocking or sandboxing these IP addresses can be an effective defense.

How to prevent credential stuffing attacks with Stytch

Because bots can target multiple accounts swiftly, it's crucial to implement robust security measures that span a business' application ecosystem. To work towards this, many services are now implementing more complex cybersecurity measures, such as those outlined below.

Breach-resistant passwords

As hackers develop more sophisticated social engineering techniques, breach-resistant passwords offer a crucial defense. Breach-resistant passwords are strong and secure, making them difficult for bots and attackers to guess. Stytch's solution incorporates the zxcvbn strength assessment tool, which ensures that passwords created adhere to NIST password guidelines, focusing on both length and complexity to enhance security.

Additionally, Stytch integrates with HaveIBeenPwned to monitor for compromised credentials, automatically prompting users to reset their passwords if a breach is detected. This ensures that user passwords remain resilient and up-to-date, significantly reducing the risk of account takeovers.

CAPTCHAs

CAPTCHA stands for Completely Automated Public Turing Test to Tell Computers and Humans Apart. These tests, like identifying buses or crosswalks in images, are simple for humans but challenging for bots, which struggle with image interpretation and human-like responses. Developing bots to solve CAPTCHAs is time-consuming and expensive, and since CAPTCHAs can't be reused, bots must solve them repeatedly, slowing down credential stuffing attacks. Stytch Strong CAPTCHA offers a modern take on traditional CAPTCHA that thwarts bots and CAPTCHA farms by using proprietary device intelligence to proxy and encrypt the CAPTCHA. Visit our product page or contact an auth expert to learn more.

Two-factor and multi-factor authentication

Often abbreviated as 2FA, two-factor authentication is becoming an increasingly popular cybersecurity measure. A subset of multi-factor authentication (MFA), 2FA gets its name because it uses two factors to verify a user’s identity. This can be any combination of single factors such as password and username, answering a security question, or entering a one-time code delivered via text message to the user’s personal device to verify a user’s identity. More complex methods like biometric authentication (fingerprint scanning) can also be incorporated and stacked, providing two or more layers of extra security in the event that a user’s credentials are compromised. This makes multi factor authentication (MFA) a more effective countermeasure against credential stuffing attacks and a go-to for industries that deal with sensitive data, like finance and government.

Device fingerprinting

Stytch Device Fingerprinting analyzes and identifies unique device attributes such as browser configurations, IP addresses, and hardware characteristics to detect and block suspicious activities from non-human actors like bots. This precise identification method ensures that only legitimate users gain access while thwarting bots attempting to exploit stolen credentials. To strengthen your security and protect against credential stuffing, explore Stytch's advanced device fingerprinting solution.

Going passwordless

It's essential to distinguish between legitimate users and attackers to ensure that security measures do not hinder the user experience for genuine users. While there are a plethora of password generators out there that provide users with usernames and passwords specifically designed to be hard to crack, many users still rely on simple passwords reused across multiple apps and services for their user accounts. This is an inherent flaw of password authentication, one that is difficult to correct because of how ingrained and widespread it is, and it's one of the leading causes of stolen login credentials. To get around this issue, many developers are choosing to go passwordless using methods like biometric authentication and multi-factor authentication (MFA)

Stytch Passwordless Authentication uses a suite of modern authentication methods designed for seamless, secure user logins, such as email magic links, SMS passcodes, WebAuthn, OAuth, and biometric authentication. This approach effectively prevents credential stuffing attacks delivered by bots, as there are no passwords to steal or reuse in a login attempt.

To explore how Stytch can enhance your security strategy to prevent a credential stuffing attack and related bot attacks, get in touch with an auth expert orget started today.