Get a free application, infrastructure and malware scan report - Scan Your Website Now

Subscribe to our Newsletter
Try AppTrana WAAP (WAF)

5 Tips for Credential Stuffing Prevention

Posted DateApril 28, 2022
Posted Time 3   min Read

Data breaches and their immediate impact on the organization are widely publicized. But what happens after the breach, especially with the breached credentials such as usernames and passwords? The breached credentials are often sold in the black market or leveraged by the attacker to attack the same or other organizations. When these stolen credentials are reused on different websites, it is known as credential stuffing. Credential stuffing attacks are prevalent bot-based threats today but preventable with the right measures and security controls.

This article deep dives into credential stuffing and ways to stop and mitigate these attacks.

A Deep Dive into Credential Stuffing

Credential stuffing is a type of cyberattack wherein attackers leverage automated tools/ botnets to inject pre-collected credentials (stolen in a breach or bought from the dark web) to gain access to the user accounts of the same or another organization.

Credential stuffing is easy to execute and tends to have a high success rate. Many users tend to use the same login credentials across multiple platforms. So, if the attacker cracks the username password of one such account, they can compromise the other accounts.

Another reason why credential stuffing attacks are so easy to execute is that massive volumes of compromised credentials are readily available. While attackers can buy them, breach credentials are also openly available in plaintext on the dark web.

How does Credential Stuffing Attacks Work? 

The attacker adds the list of stolen/ purchased credentials to a botnet/ automated tool. The botnet/ automated tool automates trying the credential pairs on various websites at once while using different IP addresses.

The botnet/ automated tool identifies website(s) where the set of compromised credentials works. Automation reduces the need for the attacker to log into a single service repeatedly. The attacker monitors successful logins and engages in malicious activities such as

  • Extract sensitive information
  • Transfer funds
  • Engage in identity thefts and brand impersonations
  • Corporate/ institutional espionage
  • Commit e-commerce fraud
  • Sell access to newly compromised accounts

Credential Stuffing vs. Brute Force Attacks

Despite having similarities, credential stuffing is different from brute force attacks. The main difference is that attackers attempt to guess credentials without any context or data from previous breaches. Attackers may change characters, numbers, etc., or use random strings, guessable passwords, etc., in cracking the credentials.

Credential Stuffing Attack Prevention: Effective Ways 

Multi-Factor Authentication (MFA)

One of the best credential stuffing defenses is multi-factor authentication. MFA requires users to perform additional authentication steps to prove that they are a legitimate entity and not a bot or attacker trying to access the account. Requiring the user to enter an OTP sent to a pre-registered phone number is one of the best ways to authenticate the user.

Implementing MFA may not be feasible in all cases as it can be disruptive to business. So, it is used in combination with other measures such as device fingerprinting, enabling MFA automatically for users determined to be at greater risk, and so on.

Enforce a Strong Password and Authentication Policy 

The easiest credential stuffing prevention measure is strictly imposing a strong password policy.

  • Use password managers to generate unique usernames and strong passwords
  • Require users to create different passwords for different accounts
  • Set a strict limit on the number of failed authentication requests

For instance, BFSI organizations typically allow a maximum of 3-5 failed login requests before freezing the user account without exception. So, the user must go to a branch to reactivate the account. In other sectors, even if the accounts cannot be frozen, you can set a timeframe for failed logins and intimate the user to reset their password.

  • Use credential hashing for usernames, passwords, etc., stored in your database. Credentials must never be stored in plaintext.
  • Keep monitoring public data dumps to check if breached email addresses and credentials are present in your database. If so, enforce password reset and MFA for those users.


CAPTCHA is a great way to reduce the effectiveness of credential stuffing attacks. It must be used in combination with other means and used intelligently to challenge the traffic since it can be disruptive for the business.

Device Fingerprinting

Credential stuffing can also be prevented by using device fingerprinting. Create a fingerprint for each session through information such as language, OS, browser, time zone, etc., collected from user devices. If the same combination of parameters is used several times in sequence for logging in, it is probably an attack. You can then engage in IP blocking, temporary bans, etc., for the fingerprint.

Other Measures: 

  • Rate Limiting based on geography, originating data centers, etc.
  • IP Blacklisting based on threat intelligence and insights from granular traffic analysis
  • Block Headless Browsers


Credential stuffing, a bot-based attack, can be stopped and mitigated effortlessly if you invest in a comprehensive, intelligent, managed bot management and security solution like AppTrana.

Stay tuned for more relevant and interesting security articles. Follow Indusface on FacebookTwitter, and LinkedIn.

Best Application Security Service Provider


Spread the love

Join 47000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

Sophisticated bot attacks
Bad Bots Level Up – How to Protect Your Website from Costly Hacks?

Traditional solutions are failing to secure your business from bot attacks. It is time for the right approach: Anti-bot Protection.

Spread the love

Read More
Enhanced Bot Protection
Enhanced Bot Protection with AppTrana

Get comprehensive bot protection for your web applications with AppTrana. Stay ahead of threats and ensure top-notch cybersecurity.

Spread the love

Read More
Why Do You Need a Bot Protection Solution For Your Business?

Bots take up two-thirds of the internet traffic. Read on to know more about bot protection solutions and how they help organizations. 

Spread the love

Read More


Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Know More Take Free Trial


Indusface is the only cloud WAAP (WAF) vendor with 100% Customer Recommendation for 3 consecutive years.

A Customers’ Choice for 2022 and 2023 - Gartner® Peer Insights™

The reviews and ratings are in!