When Strong Passwords Are Not Enough

Credential Stuffing vs Brute Force

Over the past couple of decades, we’ve been constantly reminded to use strong passwords. This was supposed to minimize the risk of an account takeover (ATO) and, more importantly, a full-blown data breach. Strong passwords were supposed to fend off brute force attacks, the most commonly used attack vector to break into an account. In fairness, strong passwords can still thwart brute force. Except that, it isn’t the only attack in the ATO playback now.

Ever since the explosion of user accounts on various websites and mobile apps (e.g. social media, instant messaging, email, forums, online magazine subscriptions, video platforms, etc.), a new ATO attack vector has emerged; one that can bypass the use of strong passwords. It’s called credential stuffing.

The Open Web Application Security Project® (OWASP) defines credential stuffing as a subset of brute force attacks. Strictly speaking, it’s actually a bit different. Before you can defend your users against it, it would help if you knew how it differs from brute force, especially in the way it renders strong passwords ineffective.

Let’s start by explaining what a brute force attack is.

What Is a Brute Force Attack?

A brute force attack is a cyber attack aimed at breaking into a user’s account by ‘guessing’ the account’s password through a series of character combinations (e.g. aab001, aab002, aab003, … and so on). This is usually carried out automatically by specialized tools.

As you can imagine, one way of making it difficult for a brute force attack to succeed is by using strong and lengthy passwords. To illustrate, it would be many times more difficult to guess something like ‘a@b^xl23dRZ’ than, say, ‘cat’.

Not only that, brute force attacks are also ‘noisy’. Because they only work by running a large number of attempts (especially if they have to break a lengthy and complex password), they easily stand out in the logs. Any security analyst or IT admin with a trained eye can easily spot a brute force attempt.

What is Credential Stuffing?

Like brute force, credential stuffing is also aimed at breaking onto a user’s account. However, unlike a brute force attack that enters a lengthy list of possible character combinations into the password field, credential stuffing enters a list of known compromised credentials (usually, a combination of usernames AND passwords). Sometimes the attack is done automatically by a tool, but sometimes it can also be done manually.

The success of this attack is based on the premise that one (or some) of the users on a targeted website are also user(s) of another website whose user credentials were compromised in a previous data breach. This is very possible because a lot of users reuse login credentials on multiple sites. In fact, a recent password security report from LastPass revealed that employees reuse a password an average of 13 times.

So, if an attacker somehow gets a hold of stolen credentials — regardless whether those credentials consist of lengthy, strong passwords or not — that attacker can perform credential stuffing. The tools used to carry out credential stuffing are good at imitating human behavior (some attackers also carry out the attack manually), so they aren’t as noisy and easily detectable as traditional brute force attacks.

Learn more about credential stuffing and how to counter them

Its ability to bypass traditional security solutions is making credential stuffing one of the go-to attack vectors of ATO attackers and other cyber criminals. If you have any public facing portal, whether it be a website or mobile app, we strongly suggest you start learning more about this threat and how to mitigate it.

A lot of the information you need to know about credential stuffing can be found in our short ebook entitled: Credential Stuffing 2021: The Latest Attack Trends and Tools

This 10-page ebook includes valuable insights such as: