Auth & identity
January 5, 2022
Author: Julianna Lamb
As more aspects of daily life go digital, we are increasingly grappling with threats to our cybersecurity and personal information. And though you might be familiar with common threats like brute force attacks—also known as credential cracking—credential stuffing differs in a few key ways.
While both brute force and credential stuffing attacks share a common goal of acquiring sensitive user information, the manner in which that information is obtained is fundamentally different. Protecting against these cyber threats requires understanding how they function. In this article, we examine the growing threat of credential stuffing, what it means for you, your app, and what users and organizations alike can do to defend against it.
Credential stuffing is a type of cyberattack that takes advantage of compromised credentials such as usernames, email addresses, and passwords to access secure or sensitive information.
A credential stuffing attack differs from a brute force attack in that it doesn’t rely on random attempts to decode a password or username combination. Instead, credential stuffing relies on lists of username/password combinations acquired from data breaches. Lists can contain millions of these combinations, which hackers then attempt to “stuff” across different sites on a trial and error basis.
Each successful combination can then be used to access lucrative information such as bank accounts and credit card numbers.
Credential stuffing might seem laborious or not very effective. But the perpetrators behind these types of attacks employ sophisticated programs and applications to optimize their efforts. Using bots—software programs that specialize in performing repetitive, predefined tasks—malicious actors can try a multitude of password and username combinations against different services in rapid succession.
Large data breaches often yield millions of credentials. So, while the success rate for the above tactics is fairly low, the sheer amount of compromised data means that thousands of users can be affected. For example, the Android Users Data Breach in May 2021 compromised the personal data of over 100 million users spanning 23 app databases.
It’s a numbers game that increasingly favors the hacker. That’s because the majority of people reuse the same password and username combination across multiple services—up to 65 percent, in fact. Combine this with the reality that data breaches are becoming more common, and the threat of users’ personal data being compromised increases exponentially.
To defend against potential credential stuffing attacks, users and developers alike first need to understand more about the bots that are essential to the process.
If you’ve ever been “timed out” or briefly locked out of a website or service after a series of incorrect logins, you’ll have some idea of the basic security in place to safeguard user data. However, bots can easily get around these countermeasures. They are capable of making multiple login attempts simultaneously and can mask these attempts so that they appear to come from different devices. In short, the system doesn’t flag the behavior as suspicious, and the bots are free to continue trying for viable username and password combinations.
To combat this, many services are now implementing more complex cybersecurity measures. Here are a few:
To get around this issue, many developers are choosing to go passwordless.
Both credential stuffing and brute force attacks seek to gain access to sensitive information by compromising a user’s login credentials. But if there are no login credentials to compromise, the attack has failed before it even begins.
Instead of login credentials, passwordless authentication employs alternative methods such as biometrics, SMS one-time passcodes, and email magic links to verify a user’s identity. This eliminates the need for credentials to be stored in a database that can be breached. It also takes the work out of managing credentials—one of the biggest reasons passwords are reused in the first place.
Rather than expect users to adhere to cybersecurity best practices—using unique, complex passwords composed of nonsensical numbers, letters, and symbols they’re likely to forget—it’s better to retool security infrastructure. Passwordless authentication does just that, not only defending against credential stuffing attacks but preventing them altogether by removing the vulnerability they exploit.