What is credential stuffing? How to prevent credential stuffing attacks
Latest
Auth & identity
Julianna Lamb
January 5, 2022
As more aspects of daily life go digital, we are increasingly grappling with threats to our cybersecurity and personal information. And though you might be familiar with common threats like brute force attacks—also known as credential cracking—credential stuffing differs in a few key ways.
While both brute force and credential stuffing attacks share a common goal of acquiring sensitive user information, the manner in which that information is obtained is fundamentally different. Protecting against these cyber threats requires understanding how they function. In this article, we examine the growing threat of credential stuffing, what it means for you, your app, and what users and organizations alike can do to defend against it.
What is credential stuffing?
Credential stuffing is a type of cyberattack that takes advantage of compromised credentials such as usernames, email addresses, and passwords to access secure or sensitive information.
A credential stuffing attack differs from a brute force attack in that it doesn’t rely on random attempts to decode a password or username combination. Instead, credential stuffing relies on lists of username/password combinations acquired from data breaches. Lists can contain millions of these combinations, which hackers then attempt to “stuff” across different sites on a trial and error basis.
Each successful combination can then be used to access lucrative information such as bank accounts and credit card numbers.
How big of a threat is credential stuffing?
Credential stuffing might seem laborious or not very effective. But the perpetrators behind these types of attacks employ sophisticated programs and applications to optimize their efforts. Using bots—software programs that specialize in performing repetitive, predefined tasks—malicious actors can try a multitude of password and username combinations against different services in rapid succession.
Large data breaches often yield millions of credentials. So, while the success rate for the above tactics is fairly low, the sheer amount of compromised data means that thousands of users can be affected. For example, the Android Users Data Breach in May 2021 compromised the personal data of over 100 million users spanning 23 app databases.
It’s a numbers game that increasingly favors the hacker. That’s because the majority of people reuse the same password and username combination across multiple services—up to 65 percent, in fact. Combine this with the reality that data breaches are becoming more common, and the threat of users’ personal data being compromised increases exponentially.
How to prevent credential stuffing attacks
To defend against potential credential stuffing attacks, users and developers alike first need to understand more about the bots that are essential to the process.
If you’ve ever been “timed out” or briefly locked out of a website or service after a series of incorrect logins, you’ll have some idea of the basic security in place to safeguard user data. However, bots can easily get around these countermeasures. They are capable of making multiple login attempts simultaneously and can mask these attempts so that they appear to come from different devices. In short, the system doesn’t flag the behavior as suspicious, and the bots are free to continue trying for viable username and password combinations.
To combat this, many services are now implementing more complex cybersecurity measures. Here are a few:
- CAPTCHAs
CAPTCHA stands for Completely Automated Public Turing Test to Tell Computers and Humans Apart. Most people are familiar with the simple nature of these tests—picking things like buses and crosswalks out of a lineup of images—but they pose a problem for most bots. The narrowly-defined nature of the tasks bots perform makes them incapable of interpreting images or replicating the human responses CAPTCHAs are based on. And while a bot could be developed with these capabilities, it would be both incredibly time-consuming and expensive. Furthermore, CAPTCHAs cannot be reused. So, even if a bot does correctly decipher one, it must repeat the process thousands of times, which would negatively impact the speed that makes credential stuffing so viable. (For more information about Stytch’s Strong CAPTCHA solution, visit our product page or or talk to an auth expert directly to learn more about how Stytch can help you stop bots on your application.)
- Two-factor and multi-factor authentication
Often abbreviated as 2FA, two-factor authentication is becoming an increasingly popular cybersecurity measure. A subset of multi-factor authentication (MFA), 2FA gets its name because it uses two factors to verify a user’s identity. This can be any combination of single factors such as password and username, answering a security question, or entering a one-time code delivered via text message to the user’s personal device to verify a user’s identity. More complex methods like biometric authentication (fingerprint scanning) can also be incorporated and stacked, providing two or more layers of extra security in the event that a user’s credentials are compromised. This makes 2FA/MFA a more effective countermeasure against credential stuffing attacks and a go-to for industries that deal with sensitive data, like finance and government.
- Going passwordless
While there are a plethora of password generators out there that provide users with passwords specifically designed to be hard to crack, many users still rely on simple passwords reused across multiple apps and services. This is an inherent flaw of password authentication, one that is difficult to correct because of how ingrained and widespread it is.
To get around this issue, many developers are choosing to go passwordless.
Credential stuffing and passwordless authentication
Both credential stuffing and brute force attacks seek to gain access to sensitive information by compromising a user’s login credentials. But if there are no login credentials to compromise, the attack has failed before it even begins.
Instead of login credentials, passwordless authentication employs alternative methods such as biometrics, SMS one-time passcodes, and email magic links to verify a user’s identity. This eliminates the need for credentials to be stored in a database that can be breached. It also takes the work out of managing credentials—one of the biggest reasons passwords are reused in the first place.
Rather than expect users to adhere to cybersecurity best practices—using unique, complex passwords composed of nonsensical numbers, letters, and symbols they’re likely to forget—it’s better to retool security infrastructure. Passwordless authentication does just that, not only defending against credential stuffing attacks but preventing them altogether by removing the vulnerability they exploit.