Whether you're a high-level executive or a
junior analyst at a company, the credentials you log in to business
applications with are vulnerable to credential stuffing attacks. These attacks
use stolen credentials from one account to log in to another account.
Credential stuffing attacks can exploit both business and personal
applications, so it's important to be aware of them. This article overviews six
ways to protect yourself and your organization against the threat of credential
stuffing attacks.
1. Avoid
Reusing Passwords
Credential stuffing attacks have a quite
low success rate - however, they are very easy to carry out at scale. All it
takes is one successful login to potentially infiltrate a network and steal
sensitive data.
The only reason these attacks are ever
successful at all is that people tend to reuse the same passwords in multiple
services and apps. One survey found that 53 percent of
people admitted reusing passwords across several accounts. Threat actors can
easily purchase stolen credentials from previous data breaches on the dark web
and attempt to use those credentials to log in to different systems and
services.
It's advisable to use unique passwords for
every different application or service you use in your daily life.
Organizations should communicate this advice to employees as part of security
awareness training.
2.
Leverage Multi-factor Authentication
Multi-factor authentication (MFA) provides
a more robust way to verify that people logging in to systems are who they
claim to be. Typically, MFA combines a standard username-password combination
with a one time password sent to a mobile phone or USB dongle in the user's
possession. Since MFA doesn't grant access without an additional type of
verification, credential stuffing attacks become far less likely to succeed.
According to Salt Security's advice on defending against
credential stuffing, these attacks "rely on automation scripts and
tools that cannot easily provide additional factors of authentication." If MFA
is an option in the apps and services you use, switch it on for better
protection against credential stuffing. If you're an IT decision-maker trying
to protect customer-facing or business apps, it's prudent to opt for MFA to
help prevent unauthorized access from stolen credentials.
3. Use A
Password Manager
While unique passwords will help protect
against these attacks, password management quickly becomes challenging when you
have to remember more than three or four passwords. Across email, multiple
different apps, and personal accounts, it's very easy to lose track of all your
accounts and the passwords stored for them.
A good password manager replaces the need
to remember several unique passwords for different accounts. Password managers
also come with the additional benefit of helping to generate really good,
unique passwords for you.
4.
Rate-Limit Logins
The fourth practice for protecting against
credential attacks is more of a business-focused tip than something applicable
at an individual level. Since these attacks target login pages, it can be
useful to set limits on the rate at which login pages can be accessed by a
given IP address or session. Web application firewalls typically come with the
option to leverage rules and controls that allow you to set custom rate limits
for users logging in to your website or app.
5.
Require (and Use) Unique Usernames
An overlooked factor behind many successful
credential stuffing attacks is the use of email addresses as usernames. The
problem with apps or services that allow email addresses as usernames is that
people will typically use the same email address across most or all of their
different accounts.
Emails appear regularly in data breaches
alongside compromised passwords. Any accounts that have the same email username
as a previously compromised account quickly become low-hanging fruit for a
credential stuffing attack. Generate unique usernames for your apps and
services and don't allow email addresses as usernames.
6. Check
If You've Already Been Breached
A number of online services can run
cross-checks against your email address, password, or phone number to see if
your details have been compromised in a previous breach. Have I Been Pwned, for example, has a database of
over 11.5 million email accounts published in previous breaches.
Better still, the same service has a
database of over 600 million real world passwords previously exposed in data
breaches. By checking for your own passwords on a site like this, a positive
hit can alert you of the need to change your passwords for other services as
soon as possible.
Conclusion
Credential stuffing attacks serve as a
prime example of how previous data breaches can continue to have cascading
effects long after they've occurred. The widespread practice of reusing
credentials combined with an ever-increasing list of data breaches means these
attacks are unlikely to go away any time soon. Protect yourself and your
business by adopting credential stuffing prevention strategies and tips.
##
ABOUT THE AUTHOR
Ronan Mahony is a freelance content
writer mostly focused on cybersecurity topics. He likes breaking down complex
ideas and solutions into engaging blog posts and articles. He's comfortable writing
about other areas of B2B technology, including machine learning and data
analytics. He graduated from University College Dublin in 2013 with a degree in
actuarial science, however, he followed his passion for writing and became a
freelance writer in 2016. He currently also works with Bora.
In his spare time, Ronan enjoys hiking, solo travel, and cooking Thai food.