Credential Stuffing: A New Twist on the Old Password Problem

Credential Stuffing: A New Twist on the Old Password Problem

Analysis of about 61 million passwords from more than 28 million users by Virginia Tech University and Dashlane found that 52 percent of users have identical or very similar passwords for multiple accounts. Even when a breach has been reported and users know their passwords have been compromised, more than 70 percent continue to use those passwords for up to a year.

Here’s the new twist on the old problem of irresponsible password practices. Compromised account credentials are now widely available on the dark web, which has become a one-stop shop for hacking tools and services. In fact, a collection of more than 2 billion unique combinations of email addresses and passwords was discovered on the dark web in January.

Knowing that so many people reuse passwords across multiple sites and accounts, hackers are buying up stolen credentials and using them to carry out credential stuffing attacks. According to a recent report from Akamai, 28 billion of these attacks were carried out during the second half of 2018, and large enterprises such as Intuit, Dunkin Donuts and Reddit have been victimized in 2019.

In a credential stuffing attack, hackers attempt to log in to networks with compromised usernames and passwords. Credential attacks are automated, which allows hackers to carry out such a high number of attacks across multiple systems and potentially millions of accounts.

Brute force attacks, which involve repeated attempts to log in to a single account using different passwords, are fairly easy to detect. After a certain number of failed login attempts during the same session, the account is locked. Credential stuffing attacks are difficult to detect and combat because they’re distributed across many accounts and many systems over a longer period of time.

In addition, hackers are using proxy lists and other manipulative tools, also found on the dark web, to make login attempts appear as if they’re coming from different browsers and IP addresses. Some credential stuffing tools can even defeat captchas. As a result, many security tools are unable to distinguish legitimate user activity from malicious attacks.

The first step organizations should take to stop credential stuffing is to address careless password practices once and for all. If you allow employees to use simple passwords and never change them, that’s exactly what they’ll do. Deploy tools that require complex passwords and regular password updates. Use multifactor authentication to keep hackers from accessing your network with just a password.

Second, use dark web monitoring services to find out if information for sale on the dark web could put your organization at risk. Look for mentions of your company, employees and accounts, as well as applications used at your company that have been compromised. This is an important, proactive step that can prevent a wide range of attacks.

Finally, recognize that it’s impossible to stop every attack and make sure your incident response plan includes procedures for responding to credential stuffing. You need to be able to quickly identify which accounts were hacked, change their passwords, and revoke access for unauthorized users.

Verteks can help you implement the right strategy for dealing with credential stuffing attacks, from multifactor authentication to dark web monitoring to incident response planning. Let us help you take the necessary steps to reduce the risk of a successful attack instead of waiting for a costly data breach to happen.


Just released our free eBook, 20 Signs That Your Business is Ready for Managed ServicesDownload
+