Virtualization Technology News and Information
6 Ways to Protect Yourself Against Credential Stuffing Attacks

Whether you're a high-level executive or a junior analyst at a company, the credentials you log in to business applications with are vulnerable to credential stuffing attacks. These attacks use stolen credentials from one account to log in to another account. Credential stuffing attacks can exploit both business and personal applications, so it's important to be aware of them. This article overviews six ways to protect yourself and your organization against the threat of credential stuffing attacks. 

1. Avoid Reusing Passwords

Credential stuffing attacks have a quite low success rate - however, they are very easy to carry out at scale. All it takes is one successful login to potentially infiltrate a network and steal sensitive data.

The only reason these attacks are ever successful at all is that people tend to reuse the same passwords in multiple services and apps. One survey found that 53 percent of people admitted reusing passwords across several accounts. Threat actors can easily purchase stolen credentials from previous data breaches on the dark web and attempt to use those credentials to log in to different systems and services.

It's advisable to use unique passwords for every different application or service you use in your daily life. Organizations should communicate this advice to employees as part of security awareness training.

2. Leverage Multi-factor Authentication

Multi-factor authentication (MFA) provides a more robust way to verify that people logging in to systems are who they claim to be. Typically, MFA combines a standard username-password combination with a one time password sent to a mobile phone or USB dongle in the user's possession. Since MFA doesn't grant access without an additional type of verification, credential stuffing attacks become far less likely to succeed.

According to Salt Security's advice on defending against credential stuffing, these attacks "rely on automation scripts and tools that cannot easily provide additional factors of authentication." If MFA is an option in the apps and services you use, switch it on for better protection against credential stuffing. If you're an IT decision-maker trying to protect customer-facing or business apps, it's prudent to opt for MFA to help prevent unauthorized access from stolen credentials.

3. Use A Password Manager

While unique passwords will help protect against these attacks, password management quickly becomes challenging when you have to remember more than three or four passwords. Across email, multiple different apps, and personal accounts, it's very easy to lose track of all your accounts and the passwords stored for them.

A good password manager replaces the need to remember several unique passwords for different accounts. Password managers also come with the additional benefit of helping to generate really good, unique passwords for you.

4. Rate-Limit Logins

The fourth practice for protecting against credential attacks is more of a business-focused tip than something applicable at an individual level. Since these attacks target login pages, it can be useful to set limits on the rate at which login pages can be accessed by a given IP address or session. Web application firewalls typically come with the option to leverage rules and controls that allow you to set custom rate limits for users logging in to your website or app.

5. Require (and Use) Unique Usernames

An overlooked factor behind many successful credential stuffing attacks is the use of email addresses as usernames. The problem with apps or services that allow email addresses as usernames is that people will typically use the same email address across most or all of their different accounts.

Emails appear regularly in data breaches alongside compromised passwords. Any accounts that have the same email username as a previously compromised account quickly become low-hanging fruit for a credential stuffing attack. Generate unique usernames for your apps and services and don't allow email addresses as usernames.

6. Check If You've Already Been Breached

A number of online services can run cross-checks against your email address, password, or phone number to see if your details have been compromised in a previous breach. Have I Been Pwned, for example, has a database of over 11.5 million email accounts published in previous breaches.

Better still, the same service has a database of over 600 million real world passwords previously exposed in data breaches. By checking for your own passwords on a site like this, a positive hit can alert you of the need to change your passwords for other services as soon as possible.


Credential stuffing attacks serve as a prime example of how previous data breaches can continue to have cascading effects long after they've occurred. The widespread practice of reusing credentials combined with an ever-increasing list of data breaches means these attacks are unlikely to go away any time soon. Protect yourself and your business by adopting credential stuffing prevention strategies and tips.



Ronan Mahony 

Ronan Mahony is a freelance content writer mostly focused on cybersecurity topics. He likes breaking down complex ideas and solutions into engaging blog posts and articles. He's comfortable writing about other areas of B2B technology, including machine learning and data analytics. He graduated from University College Dublin in 2013 with a degree in actuarial science, however, he followed his passion for writing and became a freelance writer in 2016. He currently also works with Bora. In his spare time, Ronan enjoys hiking, solo travel, and cooking Thai food.

Published Friday, October 29, 2021 7:34 AM by David Marshall
Filed under:
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<October 2021>