Credential stuffing is a type of cybersecurity attack, or to be exact, account takeover (ATO) attack, where a cybercriminal attempts logins with a pre-collected login credential (or a list of login credentials). For example, the attacker is in possession of a working credential for Gmail and attempts to use the same credential on Facebook and Instagram.
A massive amount of leaked user credentials (stolen or otherwise) are circulating on the internet, including hackers’ marketplaces on the dark web. In practice, cybercriminals use bots to automate the credential stuffing process and can inject thousands of credentials to thousands of different websites per minute with the help of sophisticated credential stuffing bots.
Credential Stuffing VS Brute Force
As briefly discussed, credential stuffing is just one of several different types of account takeover (ATO) attacks available, including brute force attacks.
In general, we can differentiate ATO attacks into three main methods:
- Brute force: the attacker attempts all the possible combinations for a password (i.e. from dictionary from A to Z) for a single user account
- Credential stuffing: the attacker test legitimate working credentials to another site or web service
- Password spraying: testing one common password (i.e. “January1992”) against a large number of different accounts.
As we can see, credential stuffing is fairly unique compared to the other types of ATO attacks since the attacker is already in possession of a legitimate username/password pair.
Credential stuffing exploits a very common mistake made by many people: we tend to use the same password for all our accounts. Credential stuffing has a success rate of between 1 to 3 percent, which is fairly “high” considering the low risk, cost, and effort associated with the attack.
Effective Credential Stuffing Prevention Methods
Require Strong and Unique Passwords
Since credential stuffing relies on a human error vulnerability where people are using the same password over and over again, the best approach is to educate users and make it mandatory for them to use strong and unique passwords for each of their accounts.
Passwords should be at least 10 characters long and include a combination of uppercase/lowercase letters, numbers, and symbols.
We can encourage the use of password managers that can generate and “remember” unique and complex passwords to help with this method.
Require Unique Usernames
Ensuring all users use strong and unique passwords can be very difficult to implement, but we can minimize this by requiring users to create their own unique username (instead of having an email address as the username).
This can make it more difficult for attackers to obtain the right pair of usernames and passwords for credential stuffing since many lists of credentials typically only have email addresses as usernames.
When using this approach, it’s also important to make sure that the generated username is not predictable (like using parts of the user’s full name or sequential numbers).
2-Factor Authentication
2-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) is a very effective approach to stop credential stuffing, password spraying, and other forms of password-related security attacks.
The reason here is fairly simple: 2FA requires the second factor besides the password before a user can access the account, so even in a successful credential stuffing attack, the attacker won’t get access to the account after injecting the right username/password pair.
This second factor can be:
- Something you are: fingerprint, retinal/iris scan, face ID
- Something you have: USB dongle, your smartphone to pair
- Something you know: secondary password/PIN, answer to a secret question, etc.
However, implementing 2-factor authentication can often disrupt the user experience, so it’s best to only use it sparingly when we suspect a request is coming from credential stuffing bots. For example:
- Multiple login attempts to multiple accounts from a single IP address
- Login attempts from IP address that appears on known blocklists
- Login attempts from an unusual location
- Login attempts from unusual browser/device
- Login attempts from countries that are considered suspicious
CAPTCHA
CAPTCHA is, simply put, a test designed to block bots by being fairly easy for human users to solve, but ideally very difficult if not impossible to solve by bots.
CAPTCHAs, however, are no longer bulletproof and should be used sparingly as in the case of 2-factor authentication.
Fingerprinting Detection
For credential stuffing attacks from less sophisticated bots, we can use basic fingerprinting detection management like blocking IP addresses, as well as fingerprints that can be obtained from the HTTP headers (i.e. “User-Agent” header) like OS type, browser type, used language, and so on.
We can also use JavaScript to gather more information from the client, such as screen resolution, installed plugins, installed fonts, etc.
We can record the usual “fingerprints” of a user, and match these fingerprints with any browser attempting to login into the account. If it doesn’t match the known user’s fingerprints, then we can ask the user for 2FA or to solve a CAPTCHA.
Really sophisticated bots, however, can spoof their fingerprints, rendering fingerprint-based analysis fairly useless. This is where the next method comes in.
AI-Based Bot Management Solution
For advanced credential stuffing attacks utilizing sophisticated bots, an adequately powerful bot management solution using AI and machine learning technologies is crucial.
Since sophisticated bots are also using AI and other technologies to mask their fingerprints, for example rotating between a lot of IP addresses with residential proxies, then we can’t rely on fingerprinting/signature-based detection efforts to identify the presence of credential stuffing bots.
Advanced credential stuffing prevention strategies can use machine learning to analyze a user’s interaction like mouse movements and keystroke anomalies, as well as the user’s intent to accurately identify between credential stuffing bots and legitimate users as well as good bots.