Credential Stuffing Attacks | How to Protect Your Web App from Bots

When thinking about hacking, we often imagine the practice as complex and sophisticated, right? Yet one of the most successful cyberattacks today is so easy that you could easily accomplish it yourself. This attack is known as credential stuffing and is made possible by us, the consumer, and our tendency toward predictable behavior. According to a survey by Harris in 2019, 65% of people use the same password on multiple (and sometimes all) accounts.

These attacks tend to follow large breaches and a recent FBI notification suggests that remediation should be taken now.

What is Credential Stuffing?

Credential stuffing is a very simple form of brute force cyberattacks in which criminals use stolen usernames and passwords to access user accounts in other systems.

At a quick glance:

  • Credential stuffing is one of the most common causes of data breaches for a very simple reason: stolen usernames and passwords are cheap, accessible, and they work.
  • In a whitepaper published by Auth0, nearly half of all login requests received on their platform are attempts at credential stuffing.
  • As more credentials are exposed through breaches, credential stuffing attacks are increasing.
  • Check to see if your credentials have been stolen in the past.

How does Credential Stuffing work?

A credential stuffing attack often goes undetected because they look like normal login requests. There are two main methods used by bad actors to attempt to log in:

  • API-Directed login attempts: a bad actor uses a custom program or a legitimate application like Postman to submit usernames and passwords to companies’ login endpoints. This can be done very quickly and is easy to automate.
  • Puppeteer attempts: a bad actor either copy/pastes user information into the login page themselves, or use puppeteer tools to automate the form submissions

What can we do to stop Credential Stuffing attacks?

The reality is that no single method is 100% effective at stopping these attacks. The objective, however, is to make it more difficult for the cybercriminal so that it might not be worth their time.

  • Multifactor Authentication: the use of a secondary or multiple forms of authentication is the best way to prevent credential stuffing. Even an email or text message response requires the cybercriminal to have access to the customer’s personal systems. However, NIST has recommended against SMS and customers tend to find multifactor authentication burdensome. The FBI recommends against using CAPTCHA as it is easily defeated.
  • Education: The best defense is a good offense. If using the same password is the root cause, then using different passwords or using a password manager is the solution. Obviously, this relies on users to make good decisions and is therefore not a reliable solution.
  • Using Cloud Protection Services or CDNs: There are many services that attempt to detect and block suspicious traffic at the expense of latency and false positives.
  • Device Fingerprinting: While not foolproof, there are libraries designed to identify a browser session like FingerprintJS. The downside is that variables used to identify a browser come from the client itself and can be spoofed. However, when using a device fingerprint ID to instantiate Eclypses MTE, you are able to establish a unique one-to-one pairing relationship with the server to allow your backend to delay or shadow-ban offending browser sessions.
  • Passwordless Authentication: One of the biggest future initiatives in authentication is passwordless sign-ins. Eclypses MTE, and the concept of Zero Trust with Full Knowledge, is an option to harden the traditional login process today.
  • MTE Encoded HTTP Payloads: For credential stuffing attacks against API login endpoints, requiring Eclypses MTE encoded payloads is the single best way to prevent generic login requests. Our proprietary technology ensures that only a paired, uniquely instantiated client and server can securely communicate with one another. As an added benefit, Session Tokens and Auth IDs are protected from being taken in transit and stolen while at rest.

Have any questions for the Eclypses team? Reach out today.

Written by: Joe Jeanjaquet, Eclypses Senior Director of Engineering