Stuffing. Such a timely word now. There’s stuffing that goes in the Thanksgiving turkey. There’s Santa stuffing the Christmas stockings. There are folks being accused right now (by other folks) of stuffing the ballot box. We are going to talk about another kind of stuffing: credential stuffing. Let’s talk about how to protect against credential stuffing attacks.
Understand Credential Stuffing
First, what is credential stuffing? (And can you get in in a gluten-free version?) I’ll start with the term “credential”. This is security-geek-speak for a username or password. So, your “credentials” for a given service are your username and password for that service. Credential stuffing refers to a cyberattack where a hacker tries to access a user account by trying out combinations of usernames and passwords.
- The username and password pairs can come from a variety of sources. Sometimes they are purchased off a Dark Web site, for the same service being attacked. Sometimes they are credentials for other services that the hacker uses to break into this service. Hackers know that you might well use this username/password pair for more than one service. At other times, the hacker can guess the username (nowadays, it is often an email address) and then use brute-force techniques to guess the password.
- Another aspect of credential stuffing is that it is often automated. Wait, are there tools that automate credential stuffing? Of course! Supply and demand. If a hacker had to manually enter credentials over and over the attack would lose its cost-effectiveness. If the hacker has a tool that can do this hundreds or thousands of times an hour, that’s a different story.
Ways to Protect Against Credential Stuffing Attacks
How can you protect against credential stuffing attacks? Here is some good news. Many cybersecurity steps we have described before will help protect against credential stuffing attacks.
- Use a password manager. Password managers make complex passwords easier to accept. Password managers also remove the friction in using distinct credentials for each service. Complex passwords make “password spraying” attacks ineffective. Use of unique credentials for each service makes credential stuffing with borrowed credentials useless.
- Implement multi-factor authentication. It is best to do this with an authenticator app that generates codes or presents an accept/deny request to the user.
- Subscribe to a service like haveibeenpwnd to be notified if an email address shows up in a breach database. As we have said before, finding a user’s credentials in a breach database does not mean their account is compromised; it just means that it could be more likely to be compromised down the road.
- Get familiar with the patterns of user logins. You may not be able to see the same IP (Internet Protocol) address used to connect. But you might know that they always connect with their iPhone. Or they always connect via a specific cellular carrier. Or they never connect after 8 PM local time. These kinds of user-specific data are harder for hackers to simulate.
- One final way to protect against credential stuffing attacks is to set up alerts that will let you know when multiple failed login attempts are occurring. If you see an attack in progress, you can act. For instance, you can set the user’s account to block access for some period.
Don’t Worry; You’ve Got This
The prospect of credential stuffing attacks might scare you. But don’t worry. You already are familiar with many of the tools to prevent a credential stuffing attack. Be vigilant and you will be fine.