5 Effective Ways to Prevent Credential Stuffing

We hear about newly discovered data breaches every day, but rarely get to know the direct consequences of any particular breach. This is because it takes time before the data get sold and used for crimes, and even so, the cause-and-effect relationship is hard to observe. In this article, we show how criminals can utilize leaked personal data, particularly leaked login credentials.

According to a mid-year data breach report published by Risk Based Security, in the first half of 2020, a 52% drop in the number of reported data breaches was observed compared to the same period last year. However, the total number of records compromised in these breaches reached an astonishing 27 billion; this is 12 billion more leaked records than the whole year of 2019.

This is a concerning trend because it shows that the scale of today’s data breaches has grown, and that more and more personal records are now flowing on the Internet. 

Even if a data breach occurred at a company that you share no valuable information with, it does not mean that you are safe because your login credentials used for that company could be used to crack into all your other accounts, in a process called credential stuffing.


What is Credential Stuffing?

Credential stuffing is the automated injection of pre-collected login credentials (i.e. usernames, emails, passwords) to break into user accounts. After breaking into an account, attackers can extract valuable information from it, including personally identifiable information (PII) and credit card information, for identity theft and financial fraud. They can also use the account for scams and phishing. Sometimes, the attackers would take over the account entirely, usually for game accounts with high ranks or valuable virtual items.

Credential stuffing is different from a brute-force attack. A brute-force attack utilizes tremendous computing resources to cluelessly attempt all the common password combinations. Credential stuffing, on the other hand, attempts access with real stolen username-password combinations. Some of the credentials are stolen directly (in a data breach), others are purchased on the dark web (from previous data breaches). 

Each stolen credential would be tried against hundreds of different services. Since people tend to use the same passwords across different services, credential stuffing has a much higher rate of success compared to brute-force attacks, and is less likely to be detected.


How Are Credential Stuffing Attacks Carried Out?

Technically, credential stuffing attacks can be carried out manually by literally typing the stolen login credentials on different online services. However, attackers don’t have time for that. Most of the time, these attacks are conducted with the help of an automated tool that distributes the requests from across different IP addresses, forming a botnet.

These tools are readily available on the dark web for as low as a few hundred dollars, making it easy for anyone without technical skills to launch such an attack.


5 Ways to Prevent Credential Stuffing

As scary as it may sound, there are many easy steps that can be taken to significantly decrease the risk of credential stuffing. Some of the steps require the efforts of service providers, while others require account users to bear a bit of inconvenience.


1. Use unique passwords for each service

This is the easiest solution. The first step to mitigate the impacts of credential stuffing is to use different passwords for each account. 

Now before you start complaining, we do understand that an average person has more than a hundred accounts, and that generating and remembering a unique password for each of them is impossible.

But what if we tell you it is entirely possible, and easy! Without the need for technology, you can actually generate an infinite number of unique and strong passwords without the need to memorize them, by creating your own “encryption rule”. To learn how, read our previous blog: Smart and Create Ways for Setting Easy and Robust Passwords.

Another option is to use a password manager like LastPass, which generates and stores unique and sophisticated passwords for the user.


2. Implement web application and API protection (WAAP)

The service provider should invest in a reliable web application and API protection (WAAP) solution to detect abnormal traffic from botnets. Although not particularly designed to prevent credential stuffing, an advanced WAAP solution like WAPPLES can detect suspicious login attempts to a certain extent, especially when a great number of attempts occur all of a sudden.

Even if not for credential stuffing, a WAAP solution should always be implemented by all website hosts to prevent data breaches caused by web attacks in the first place.


3. Limit authentication requests and set up for failed request alerts

It is a good idea for the service provider to limit the number of failed authentication requests. You can either limit the number of failed requests by IP addresses, by locations, by devices, or by time frames. Indeed, doing any one of them would not be very effective against credential stuffing since it is distributed from various residential IP addresses, locations, and devices.

This is why financial institutions are extremely strict on this, many only allow three to five failed login requests before freezing the account, regardless of IP address or device. Once deactivated, the user would need to visit a branch and reset their credentials to reactivate the account.

For most other services, freezing the account may seem too extreme, but at least limit the amount of failed requests within a certain time frame (e.g. three failed attempts per hour) to decrease the speed of the attack. Service providers should also send emails to alert the user that failed login attempts occurred, so that users can immediately change their passwords.


4. Use multi-factor authentication (MFA)

Instead of having just a single password to secure an account, two-factor authentication (2FA), or multi-factor authentication (MFA), requests one or more extra pieces of login information in addition to the password. These extra pieces of information can take various forms. 

A knowledge-based MFA is the most traditional form. The user would be asked a pre-registered security question, such as their mother’s maiden name or the name of the first school they attended. This is the easiest form of authentication, but also the weakest, because such personal information can be obtained relatively easily.

A possession-based MFA requires the user to have a device in possession. For instance, after successfully entering the password, a text message with a temporary code (one-time password) would be sent to the user’s pre-registered mobile phone number, after which the user would need to enter the code to complete the login process. This method provides very robust security, but can be quite inconvenient for the user, since they would need to have another device with them.

A biometric MFA is the newest type of authentication. Many newer devices have biometric capabilities such as fingerprint readers and facial recognition cameras. Biometric authentication provides strong protection just like one-time passwords, but its usage is limited to devices that have such capabilities. It is not yet ready to be fully implemented as a mandatory process, because there will be times when a user needs to login from a device without biometric capabilities.


5. Screen for leaked credentials

A service provider can adopt solutions that automatically scan a user’s login credentials against a large database of compromised credentials published on the dark web. This way, the user can be alerted immediately if parts of their credentials match those in the database.

Such solutions are not limited to service providers. End users could also enter their email addresses on HaveIBeenPwned.com to check (for free!) if any accounts associated with an email address had been compromised in any previous data breaches.

If a match is found, a user should immediately change all their passwords that are identical or similar to the breached password to prevent credential stuffing.

However, such screening only works if a breached database was published online. It cannot detect compromised credentials that were sold privately and never published.


ISign+, a Single Sign-On MFA Solution

ISign+ is an identity and access management solution that provides multi-factor authentication (MFA) and single sign-on (SSO) features. Supporting all authentication methods, including one-time passwords, digital certification, and biometrics, it effectively protects corporate accounts from unauthorized access.

The SSO feature allows for an integrated login process across different internal systems, such as authentication servers, databases, and policy servers, customizable for specific business environments.

A certified encryption module by the Korean National Intelligence Service, ISign+ is compliant with the FIDO2 specifications for authentication.

To learn more about ISign+, click here.


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: ISign+ 

Car, Energy, Factory, City Solutions: Penta IoT Security