Credential Stuffing

Hello, world. I’m Zanidd and welcome to the Hands On Password Cracking and Security course on Code Red. In this section, we will cover the downsides of passwords, and miscellaneous vulnerabilities, and the misuse of passwords. We will also take a brief look at alternatives to passwords. In this lesson, we will discuss what credential stuffing is. We will also see how this has influenced companies in the real world, and how you can prevent this from happening to you or your company. So, what even is credential stuffing? Credential stuffing is a subcategory of brute force attacks. It doesn’t require hashing algorithms, but instead tries a list of commonly used username and password pairs.

This is possible because most users use the same password and username for every application they use. So once a company gets hacked, and the username/password pairs dumped in plain text somewhere, an attacker can use those pairs to hack into other accounts. For example, if you were to have the email zanidd@example.com, with the password “1-2-3-4-5-6” as your Facebook credential, but also as your credentials for, let’s say, Twitter, you could be a target for this attack. If Twitter gets hacked, and all passwords get dumped, an attacker can now enter into your Twitter account.

But not only that, because you’re using the same password and username on Facebook, an attacker can now try the pair, from Twitter, on Facebook and log in as you. One big problem here is that sysadmins cannot force users to have unique passwords for every platform. So in the worst case, an employee might be even using the same password and/or username that was already leaked or dumped. For example, in 2016, over 3 billion credentials have been dumped, and the number is constantly growing. The attack itself is also pretty straightforward. You first need to find the dump, and then use a tool, like Selenium, to make the logins with the list you just got.

After a while, you will have cracked some logins already - no hashing needed. So how do we solve this issue? Well, one is for sure - we can’t force the users to create a unique password for every platform, but we can do other things. We can force them to use a random number for every login instead, with something like multifactor authentication. The best option to remedy this issue is to use multifactor authentication. In fact, you can use something like MFAs or Google Authenticator, and similar apps. Some ebanking platforms even have a unique second factor.

For example, I have to enter my username and password, and then use a box where I have to put my card in, enter my pin, and then I get a code to enter for the login. If for some reason, MFA - or Multifactor Authentication - is not possible, we can also try to stop the attacker by using Captchas. This may not be as effective as MFA but still better than nothing. This will reduce the amount of attacks because they have to find a way to automate the “select a traffic light” thing from Google. We can also retroactively do something with IP blacklisting and checking for leaks. If we monitor suspicious activity from one IP, we can block that one.

We can also use the same method as the attackers to check if any company, employee, or user, has leaked passwords. We can run a tool that automates the process, and then automatically resets the leaked passwords. And that’s all about credential stuffing. In the next lesson, we’re going to take a look at a similar attack - password spraying. It’s similar to credential stuffing but works differently.