Credential Stuffing Mitigation: Effective Methods To Stop Credential Stuffing Attacks

How do you mitigate credential stuffing attacks?

Credential stuffing is, at the moment, one of the biggest cybersecurity threats all over the world, and protecting your account and your system from potential credential stuffing attacks can often be very challenging. 


Here, we will discuss all you need to know about credential stuffing mitigation: key challenges, effective mitigation techniques, and how to implement them on your network and system.


Let us begin, however, by discussing the concept of credential stuffing attack itself. 


What is Credential Stuffing?

Credential stuffing is a type of cybersecurity threats defined by OWASP Automated Threat number 008  (OAT-008)


First, credential stuffing attacks can only happen when the perpetrator has already possessed pre-collected working credentials. A massive number of stolen and leaked credentials are actually being circulated over the internet, and a credential stuffing attack happens when a cybercriminal attempts to use these credentials in other websites and systems. 


For example, let’s say a cybercriminal has possessed a list of Gmail credentials. The criminal will then attempt these credentials on other sites like Facebook, Twitter, banking services, and so on. This is a credential stuffing attack. 


In practice, credential stuffing attacks are launched with the help of automated scripts (bots) that are able to inject hundreds if not thousands of login credentials to many different accounts every minute


Why Criminals Perform Credential Stuffing Attacks?

Credential stuffing attacks have a fairly high success rate due to a simple fact: 


Many of us still use a single password for all our different accounts. Thus, when an account is compromised, then all of the other accounts are at risk. 


Once the cybercriminal successfully logs in to an account via credential stuffing, they can extract confidential and/or valuable data from the account: PII (Personally Identifiable Information), banking and credit card details, and so on. They can also use the account to perform more severe attacks including financial and identity frauds. 


In short, credential stuffing, at the moment, has a fairly low risk, fairly high success rate, and is very rewarding for the attacker, making protection against it more challenging than ever. 


How Cybercriminals Execute Credential Stuffing Attacks?

While in theory, the attackers can carry out the credential stuffing attacks manually by inputting the owned credentials on different services and websites, most likely the credential stuffing attacks are performed with the help of automated bots.


These bots are actually widely available on the dark web and are relatively affordable (although advanced bots can be quite expensive). Meaning, even those without any programming and technical skills can technically perform a credential stuffing attack.


A typical credential stuffing attack is carried out as follows: 

  • The cybercriminal acquires leaked/stolen credentials 
  • The cybercriminal uses an account checker bot to test the spilled credential against many different websites
  • Typically around 0.1 to 0.2% of the total login attempts will be successful, allowing the cybercriminal to take over these accounts
  • The cybercriminal will then ‘harvest’ information from the stolen account: personally identifiable information (PII), banking/credit card details, and other valuable information
  • The cybercriminal can also use the account and account information for other attacks (i.e. phishing attacks)


How To Mitigate Credential Stuffing Attacks

Although, as we’ve discussed, credential stuffing attacks can be very challenging to mitigate and stop, there are actually many effective methods we can use to prevent credential stuffing on our system/network and mitigate the potential damage.


Here are some of the most effective ones: 


1. Use Strong And Unique Passwords

As discussed, credential stuffing attacks leverage a very common mistake of using the same password for all our different accounts, and thus the most effective way of mitigating credential stuffing attacks is to make sure your system’s users are using strong and unique passwords. 


Passwords should be at least 10 characters long, non-generic (i.e. not using birth date, pet’s name, family member/spouse’s name, etc.), and includes a combination of uppercase, lowercase letters, numbers, and symbols. 


Nowadays, we can quite easily use various affordable and even free password managers to generate and ‘remember’ complex and unique passwords, so there’s simply no reason not to use unique passwords at all times.


2. Advanced Bot Mitigation Solution

As discussed credential stuffing attacks are performed with the help of malicious bots to attempt logins to many different online services at a time. 


Thus, in theory, by stopping these bots, we can stop credential stuffing. 


In reality, however, there are two main challenges in detecting and managing bot activities: 


  • Today’s bots are really sophisticated and many are using the latest technologies like AI and machine learning to effectively impersonate human behaviors
  • There are actually good bots that are beneficial to your online service. We wouldn’t want to accidentally block, for example, Google’s crawler bot. 


Thus, we’ll need effective bot management software that can effectively differentiate bot traffic from legitimate human users, and bad bots from good bots to effectively stop credential stuffing attacks. 


3. Limit Login Attempts

Another effective method to stop credential stuffing, and also brute force attacks is to limit the number of failed login attempts. We can limit the number of failed attempts by device, IP address, time frame, and so on. If necessary, you can freeze the account if the activity is deemed too suspicious. 


4. Two-Factor Authentication

We can further strengthen the user’s credentials by requiring two-factor authentication. This way, even in the event of a successful credential stuffing attack, the attacker won’t be able to access the account since the system would require an additional piece of information that can be: 


  • Something you are: fingerprint, iris/retina, face ID
  • Something you know: security question, second password/PIN, etc. 
  • Something you have: USB dongle, smartphone pairing, etc. 



Above, we have discussed some of the most effective credential stuffing mitigation techniques available: requiring a strong and unique password, two-factor authentication, limit failed authentication attempts, but arguably the most important thing is to implement a sufficient bot detection and management solution to stop activities from credential stuffing bots.


Comments are closed.