Credential stuffing and password spraying: Security tips for service provider and users

Credential stuffing is a fairly simple form of cyber-attack in which captured user information from one service is used to gain access to other services. Unlike brute force attacks, attackers use existing, stolen user information instead of guessing passwords (automatically). Testing a weak password (“password”, „123456“, „qwerty“) without a specific goal against multiple different usernames is called password spraying.

Aims and motives behind credential stuffing and password spraying

Cyber criminals can use highly automated tools to try out vast amounts of usernames and passwords on many different websites and applications without much effort. The login data that is used comes, for example, from databases acquired on the darknet or from collections from data leaks, phishing or other security incidents. Even if the percentage-hit rate is low, it is worthwhile: databases with up to several hundred million entries are available.

Credential stuffing is only successful if the same credentials are active on several different services. For password spraying attacks, it is enough to use a password that has already appeared on any leak list.

The aim of these attacks is to gain access to various services. Attackers misuse bank accounts for financial gain or identity theft and email-access for further attacks or account takeovers. Shopping in online shops under false names and invoices is also popular. In addition to the hassle, time and financial losses, this can lead to reputational damage for individuals or companies.

How to prevent credential stuffing and password spraying?

To carry out credential-stuffing and password-spraying attacks, attackers use tools and scripts that can automatically perform hundreds or thousands of login attempts per minute. To make detection more difficult, the access attempts are increasingly disguised as legitimate requests. However, various security measures can increase security––ideally in combination.

Security tips for online services:

• Offering two- or multi-factor authentication is one of the simplest and most efficient possibilities to prevent credential stuffing and password spraying. If permanent use is not possible, limit usage to certain scenarios such as logging in from a new or unusual location, a new device or browser, or in the case of suspicious login behaviour. (Less secure) alternatives may be additional PINs or security questions.
• Rate limiting aims to prevent credential stuffing and password spraying by delaying or limiting the number of login attempts. However, modern attack techniques adapt to these tactics by, for example, reducing the number and speed of attempts or simulating different IP addresses and devices. Dynamic rate limits based on actual user behaviour can remedy this.
• Require secure passwords: Some systems have password protection functions that prevent registration with passwords that are too simple or allow blacklisting passwords that are too common. Using the Pwned Passwords list, operators of online services can check passwords against hundreds of millions of stolen passwords when logging in or renewing them, and ask their users to use a different password if necessary.
• Alternative user names instead of the email address can impede credential stuffing since it is based on finding accounts with the same combination of usernames and passwords.
• IP-Blocking: Block known malicious IP addresses as well as IP addresses with a defined number of unsuccessful login attempts via block list.
• Captchas aim to identify people and can make automated login attempts more difficult or reduce their speed or profitability.
• User notifications: Warn users in case of suspicious login failures, for example if the password was correct but not the second authentication factor. Also, show the date, time and location of the last successful login.
• A multi-step login process, where e.g. username and password have to be entered in two separate steps, makes attack attempts at least somewhat more laborious.

Security tips for users:

• Without exception, use different passwords for different websites. Attackers already know the trick of using different numbers!
• In case of old accounts: Log in to each account and change the password as soon as possible. Make sure you use a different password for each account.
• Use alternative e-mail addresses instead of your main address for less important or rarely used portals.
• Unless absolutely necessary, do not give your email address or use e.g. throw-away email addresses like net
• A password manager that also generates and manages random phrases can help to manage the different data.
• If offered by the service, be sure to use 2-factor authentication.
• Never share access data via insecure communication channels.

As a matter of principle, do not pass on your access data without thinking. Be particularly careful when clicking on links in emails or messages, especially if they ask you to enter your login details. Always go directly to the desired website instead of following a link. Only confirm 2-factor requests if you are about to log in and have initiated the request yourself.

Identify stolen password and change them immediately

There are various ways for users to be informed or automatically notified if their own data turn up in dubious collections after a security incident. Here are three examples:

• The Google Password Manager in Chrome warns you when stolen login combinations are leaked on the internet
• Firefox Monitor allows for monitoring your email-address and notifies you in case of incidents
• A manual check of one’s own e-mail address is possible, for example, at com.

In addition, we recommend deleting or deactivating accounts that you do no longer need or use.

Conclusion: Both users and service operators can help prevent credential stuffing and password spraying attacks or at least make them more difficult. The more measures are implemented, the more costly and consequently less profitable the attack attempts will be.

Strong, unique passwords and the use of two- or multi-factor authentication remain essential for account security. Also, be careful when using public computers and WLAN networks, as third parties could read your data entries there. Watch out for possible phishing attacks and do not give out personal or financial information to unknown third parties.

This might also interest you:

Secure APIs against unauthorised access and manipulation
Current cyber-attacks screened: How attackers get into your system
New tricks on phishing websites

Sources:
https://haveibeenpwned.com/
https://monitor.firefox.com/
https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html