Credential stuffing is a type of brute force attack where the attacker uses an already available credential (i.e. stolen) on another website/system as a login attempt.
For example, a hacker may gain a password-username pair of a Facebook account and then attempts to use the same credential to log in on Gmail or Instagram. The basic premise behind credential stuffing attacks is fairly simple: most people have the tendency of using the same pair of password and username on all of their accounts, and the attacker simply exploits this fact.
Many lists of stolen credentials are now sold and even shared publicly on the internet, and as a result of this phenomenon, credential stuffing attacks have risen in popularity for the past few years.
In this guide, we will discuss how we can effectively prevent credential stuffing attacks and how to protect our account, website, and system from this scary version of brute force attacks.
1. Strong and Unique Passwords
The best and most effective approach in preventing credential stuffing attacks is to require the practice of using strong passwords to be mandatory, and advising your users to use unique passwords (i.e. one password for one account only).
As a general rule of thumb, a strong password is 10-characters long and should feature a combination of uppercase letters, lowercase letters, symbols, and numbers. You can also use various password randomizer and password manager solutions to create really strong, randomized passwords (which will also help in using unique passwords for different accounts.)
2. Multi-Factor Authentication
The idea of multi-factor authentication (MFA) or 2-factor authentication (2FA) is to ask for additional (or more) information besides the username-password combination before someone can access the account. So, in the event of a credential stuffing attack, an attacker won’t gain access even if they possess the right credential.
This secondary information can be:
- Something you have: a USB dongle, etc.
- Something you know: a secondary password, PIN, OTA code, etc.
- Something you are: fingerprint, iris, face ID, etc.
MFA is very effective in stopping credential stuffing and brute force attacks in general. However, requiring too many MFA requests can significantly ruin your site’s user experience (UX) and might increase the bounce rate.
Finding the right balance between security and usability is also very important, so you can strategically require MFA only on certain suspicious conditions, for example:
- Different browser/device/IP address or other signature
- Login attempt from unusual location or countries that are considered suspicious
- Blacklisted IP address, IP address that has tried to log in to multiple accounts
- Obvious bot/scripted activities
3. CAPTCHA
Since many credential stuffing and brute force attacks are performed by automated scripts (bots), implementing CAPTCHA can help in blocking these bots in performing their task. However, CAPTCHA is one a one-size-fits-all answer for credential stuffing attack for two reasons:
- There are now CAPTCHA farm services where a human worker will solve the CAPTCHA before passing it to the bot, rendering CAPTCHA useless.
- Similar to MFA, CAPTCHA can ruin user experience, so it’s very important to use them sparingly.
In general, use CAPTCHA only in specific, strategic scenarios, and you can combine it with other techniques.
4. Notify Users About Unusual Activities
Many people don’t realize when their credentials have been stolen, so it may be appropriate to notify or warn the user when suspicious activities are detected.
However, don’t overwhelm users with too many notifications and only send appropriate/important ones. Or else, the user might just ignore or delete the notification, making this approach counterproductive.
For example, if there had been a successful login but it failed the MFA check, then the user should be notified so they can change the password immediately.
It’s also important for your users to be able to view details related to recent logins (date, time, and location). Also, if the application allows simultaneous sessions, the user should be able to view a list of all active sessions and to terminate any other sessions they deem suspicious.
5. Fingerprinting
The basic approach in preventing credential stuffing attack is to blacklist IP addresses and/or a range of IPs after a certain number of failed login attempts. However, sophisticated bots can now rotate between thousands of IP addresses, so IP-based detection might not be very effective.
So, we can also fingerprint other factors to determine whether the traffic is a legitimate user, like browser, device signature, operating system, the language used, and more. There are various fingerprinting-based solutions you can use for this method.
The idea is, if the new traffic doesn’t match the user’s previous signatures, you can ask this client for additional authentication (MFA, CAPTCHA, or others). Keep in mind, however, that a user might share the account with their friends or family members, so implement this method strategically.
In combination with fingerprinting, we can also configure alerts on the login success ratio of suspicious users. For example, a login success rate below 10% is very suspicious, and credential stuffers can reach a close to 0% success rate. Tracking login success ratios can be very effective in detecting credential stuffing attacks.
6. Investing In a Bot Detection Solution
One of the most effective approaches in preventing credential stuffing attacks is to use an advanced account takeover protection solution that can effectively detect and block malicious bot traffic attempting the attack in real-time.
Since both bots and humans now use the same browsers and IP addresses, real-time and automated credential stuffing protection is now necessary. Humans can no longer act fast enough to match the bot activities, and this is where AI-powered, machine learning bot detection solutions can be very effective in preventing credential stuffing attacks.
End Words
While there is no perfect method that can 100% prevent credential stuffing attacks, the 6 methods we have discussed above are among the most effective in identifying, preventing, and mitigating the effects of potential credential stuffing.
The most effective approach, however, is to have an effective bot detection and mitigation solution that can detect the credential stuffing attempt in real-time. Solutions like DataDome offer a comprehensive bot detection solution that deploys in minutes on any infrastructure, fully automated.
