What Is Credential Stuffing?

Date First Published: 12th November 2023

Topic: Cybersecurity

Subtopic: Threats To Systems, Data & Information

Article Type: Computer Terms & Definitions

Difficulty Level: 7/10

Learn about what credential stuffing is in this article.

Credential stuffing is a type of cyberattack that happens after a user account has been compromised. It involves the attacker trying the same username and password combination on other websites and services, particularly high-traffic and well-established websites and services, in the hope of correctly guessing it. Attackers often collect lists of stolen credentials that were exposed in previous data breaches to attempt to log into a website or online service.

Credential stuffing attacks have become more common due to lists of breached credentials being posted and sold. Bots are often used to capture the breached credentials and attempt to log into an online service or website. However, credential stuffing attacks usually have a very low rate of success, usually under 0.5%.

How To Prevent Credential Stuffing?

The following tips below can prevent credential stuffing:

• Avoid reusing passwords. By not reusing passwords, there is no risk of attackers gaining unauthorised access by correctly trying the same username and password combination. If unique passwords are used, credential stuffing will not work against multiple accounts.
• Use two-factor authentication when available as an extra layer of security. Two-factor authentication adds an extra layer of security to electronic accounts. If a password was correctly guessed by a credential stuffing attack, the attacker wouldn't be able to access the account as it is very unlikely that they would be able to get past the second security layer, like the four to six-digit security code.
• Use CAPTCHAs. Using CAPTCHAs can prevent web forms from being abused by automated bots. Since the CAPTCHA challenges can only be solved by humans, it will make it impossible for most bots and credential stuffing tools to get past them, blocking their attacks.
• Limit failed login attempts. Limiting failed login attempts by locking users out after a certain number of failed attempts, usually three will prevent attackers from trying multiple passwords. This method may work by blocking the attacker's IP address or disabling the password and requiring a reset.
• Avoid using compromised usernames and passwords. Before using a username and password combination, always check to ensure that it is not in a database of known compromised passwords. Some applications will check this and notify users if they are reusing a username and password combination that has been previously compromised.

Difference Between Credential Stuffing and Brute-Force Attacks

Credential stuffing is very different from brute-force attacks. Brute-force attacks attempt to correctly guess a password by repeatedly submitting large numbers of passwords, often by randomly using a list of combinations or common passwords. Credential stuffing is one type of brute-force attack that uses breached data, greatly reducing the number of possible correct answers. Another difference between credential stuffing and brute-force attacks is that password strength does not protect against credential stuffing. Even if a strong password is reused across multiple accounts, it can still be guessed by credential stuffing.

Your like or dislike has been added successfully. To see the changes, reload the page.

Log in to like or dislike this comment.

Comments