+1 866 537 8234 | +91 265 6133021

Get a free application, infrastructure and malware scan report - Scan Your Website Now

Subscribe to our Newsletter
Try AppTrana WAAP (WAF)
Blog Home  »  Attacks & Data Breaches   »   5 Tips for Credential Stuffing Prevention

Managed WAF

Starts at $99

Guided onboarding, monitoring of latency, false positives, and DDoS attacks, custom rules, and more

Try Free For 14 Days

5 Tips for Credential Stuffing Prevention

Posted DateApril 28, 2022
Author Bio
Posted Time 3   min Read

Data breaches and their immediate impact on the organization are widely publicized. But what happens after the breach, especially with the breached credentials such as usernames and passwords? The breached credentials are often sold in the black market or leveraged by the attacker to attack the same or other organizations. When these stolen credentials are reused on different websites, it is known as credential stuffing. Credential stuffing attacks are prevalent bot-based threats today but preventable with the right measures and security controls.

This article deep dives into credential stuffing and ways to stop and mitigate these attacks.

A Deep Dive into Credential Stuffing

Credential stuffing is a type of cyberattack wherein attackers leverage automated tools/ botnets to inject pre-collected credentials (stolen in a breach or bought from the dark web) to gain access to the user accounts of the same or another organization.

Credential stuffing is easy to execute and tends to have a high success rate. Many users tend to use the same login credentials across multiple platforms. So, if the attacker cracks the username password of one such account, they can compromise the other accounts.

Another reason why credential stuffing attacks are so easy to execute is that massive volumes of compromised credentials are readily available. While attackers can buy them, breach credentials are also openly available in plaintext on the dark web.

How does Credential Stuffing Attacks Work? 

The attacker adds the list of stolen/ purchased credentials to a botnet/ automated tool. The botnet/ automated tool automates trying the credential pairs on various websites at once while using different IP addresses.

The botnet/ automated tool identifies website(s) where the set of compromised credentials works. Automation reduces the need for the attacker to log into a single service repeatedly. The attacker monitors successful logins and engages in malicious activities such as

  • Extract sensitive information
  • Transfer funds
  • Engage in identity thefts and brand impersonations
  • Corporate/ institutional espionage
  • Commit e-commerce fraud
  • Sell access to newly compromised accounts

Credential Stuffing vs. Brute Force Attacks

Despite having similarities, credential stuffing is different from brute force attacks. The main difference is that attackers attempt to guess credentials without any context or data from previous breaches. Attackers may change characters, numbers, etc., or use random strings, guessable passwords, etc., in cracking the credentials.

Credential Stuffing Attack Prevention: Effective Ways 

Multi-Factor Authentication (MFA)

One of the best credential stuffing defenses is multi-factor authentication. MFA requires users to perform additional authentication steps to prove that they are a legitimate entity and not a bot or attacker trying to access the account. Requiring the user to enter an OTP sent to a pre-registered phone number is one of the best ways to authenticate the user.

Implementing MFA may not be feasible in all cases as it can be disruptive to business. So, it is used in combination with other measures such as device fingerprinting, enabling MFA automatically for users determined to be at greater risk, and so on.

Enforce a Strong Password and Authentication Policy 

The easiest credential stuffing prevention measure is strictly imposing a strong password policy.

  • Use password managers to generate unique usernames and strong passwords
  • Require users to create different passwords for different accounts
  • Set a strict limit on the number of failed authentication requests

For instance, BFSI organizations typically allow a maximum of 3-5 failed login requests before freezing the user account without exception. So, the user must go to a branch to reactivate the account. In other sectors, even if the accounts cannot be frozen, you can set a timeframe for failed logins and intimate the user to reset their password.

  • Use credential hashing for usernames, passwords, etc., stored in your database. Credentials must never be stored in plaintext.
  • Keep monitoring public data dumps to check if breached email addresses and credentials are present in your database. If so, enforce password reset and MFA for those users.

Use CAPTCHA

CAPTCHA is a great way to reduce the effectiveness of credential stuffing attacks. It must be used in combination with other means and used intelligently to challenge the traffic since it can be disruptive for the business.

Device Fingerprinting

Credential stuffing can also be prevented by using device fingerprinting. Create a fingerprint for each session through information such as language, OS, browser, time zone, etc., collected from user devices. If the same combination of parameters is used several times in sequence for logging in, it is probably an attack. You can then engage in IP blocking, temporary bans, etc., for the fingerprint.

Other Measures: 

  • Rate Limiting based on geography, originating data centers, etc.
  • IP Blacklisting based on threat intelligence and insights from granular traffic analysis
  • Block Headless Browsers

Conclusion 

Credential stuffing, a bot-based attack, can be stopped and mitigated effortlessly if you invest in a comprehensive, intelligent, managed bot management and security solution like AppTrana.

Stay tuned for more relevant and interesting security articles. Follow Indusface on FacebookTwitter, and LinkedIn.

Best Application Security Service Provider

 

Indusface
Indusface

Indusface is a leading application security SaaS company that secures critical Web, Mobile, and API applications of 5000+ global customers using its award-winning fully managed platform that integrates web application scanner, web application firewall, DDoS & BOT Mitigation, CDN, and threat intelligence engine.

Share Article:

Tags:

Join 47000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

Botnet Detection Best Practices
10 Botnet Detection and Removal Best Practices

Defend against botnet attacks with strategies like understanding infiltration, threat identification, access control, authentication, and monitoring software.

Read More
Sophisticated bot attacks
Bad Bots Level Up – How to Protect Your Website from Costly Hacks?

Traditional solutions are failing to secure your business from bot attacks. It is time for the right approach: Anti-bot Protection.

Read More
Enhanced Bot Protection
Enhanced Bot Protection with AppTrana

Get comprehensive bot protection for your web applications with AppTrana. Stay ahead of threats and ensure top-notch cybersecurity.

Read More

AppTrana

Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Get Started for Free Request a Demo

Gartner

Indusface is the only cloud WAAP (WAF) vendor with 100% Customer Recommendation for 3 consecutive years.

A Customers’ Choice for 2022 and 2023 - Gartner® Peer Insights™

The reviews and ratings are in!