What Is Credential Stuffing?
A credential stuffing attack is when a cybercriminal uses a set of stolen credentials to attempt to gain access to several accounts at once. Credential stuffing is effective because nearly two-thirds of internet users reuse their passwords. Cybercriminals enter the stolen credentials into thousands of websites over a few minutes or several hours, compromising everything from social media accounts to proprietary company software and beyond.
Credential stuffing vs password spraying
Password spraying works by taking a verified username and plugging it into several accounts in combination with several different common passwords. If a user doesn’t practice good password habits, most or all of their accounts can be jeopardised by guessing common passwords.
A credential stuffing attack relies on the reuse of passwords. With so many people reusing their passwords for multiple accounts, just one set of credentials is enough to expose most or all of their accounts. Cybercriminals use things like BotNets to execute multi-front attacks across multiple devices, expanding their attack capabilities with just one set of credentials.
When an attacker is successful in a credential stuffing attack, they can potentially take control of your bank information, social media accounts and more. This can lead to outright theft of money or other assets, extortion or identity theft.
How to detect a credential stuffing attack
Detecting a credential stuffing attack early can give you time to react and protect your accounts.
For personal users
Detecting a credential stuffing attack can be as simple as requiring Multi-Factor Authentication (MFA) verification for every account. MFA is an extra security measure that you can enable on most of your online accounts. Instead of only having to log in to an account with a username and password, you would have to provide one or more additional authentication factors.
If an unauthorised individual attempts to log in to your account that has MFA enabled and you receive email or text codes, these codes essentially act as a warning that your accounts might be being tampered with.
For business users
Anomaly detectors for traffic with bots.
These tools help detect anomalies from incoming web traffic and notify you of incoming bots. Credential stuffing depends on autonomous bots that can quickly plug in credentials, so detecting them can lead to early action.
Use device and browser fingerprinting.
Biometric credentials make for strong, unique logins. Combining a password with a biometric credential can make an account much stronger.
How to prevent credential stuffing
Preventing credential stuffing as a user
To prevent a credential stuffing attack from happening to you, start by securing each of your online accounts with strong and unique passwords. Your passwords should contain at least 16 characters and have a combination of uppercase and lowercase letters with a mix of symbols and numbers. To help you create strong passwords, use a password generator. A password generator is a free online tool that randomly generates a string of characters to use as your password.
Generated passwords are not easy to remember so it’s best to store them in a password manager. A password manager helps you store and manage all your passwords and you only have to remember one strong master password to access the rest of your credentials.
As an extra security step, enable MFA whenever possible. MFA helps protect your online accounts from being compromised by unauthorised users. Enabling MFA reduces the risk of being a victim of a credential stuffing attack because even if an attacker were able to get their hands on your username and password, they wouldn’t be able to get in without the extra authentication form that only you have.
Preventing credential stuffing as a business
To prevent credential stuffing from happening at your organisation, start with securing your employees’ accounts with strong passwords and enforcing the use of MFA. The best way to ensure employees are following password best practices is by implementing a business password manager.
Business password managers provide IT administrators with complete visibility into employee password practices. Password managers also aid IT admins in enforcing password security policies such as enforcing a minimum password length and requiring the use of MFA wherever it’s supported. By having a centralised password management solution, organisations can make sure that they’re taking the necessary precautions to prevent the possibility of credential stuffing attacks that result in compromised employee accounts.
Beware of credential stuffing
Credential stuffing attacks can put personal and business data at serious risk, which can lead to identity theft and financial losses. To prevent you or your business from becoming a victim of credential stuffing it’s important to know what this attack entails and what you can do to protect your online accounts.
