Skip main navigation

Credential Stuffing

In this video, Zanidd will explain how password spraying works and presents remedies to prevent it from happening.
6.5
Hello, world. I’m Zanidd and welcome to the Hands On Password Cracking and Security course on Code Red. In this section, we will cover the downsides of passwords, and miscellaneous vulnerabilities, and the misuse of passwords. We will also take a brief look at alternatives to passwords. In this lesson, we will discuss what credential stuffing is. We will also see how this has influenced companies in the real world, and how you can prevent this from happening to you or your company. So, what even is credential stuffing? Credential stuffing is a subcategory of brute force attacks. It doesn’t require hashing algorithms, but instead tries a list of commonly used username and password pairs.
59.7
This is possible because most users use the same password and username for every application they use. So once a company gets hacked, and the username/password pairs dumped in plain text somewhere, an attacker can use those pairs to hack into other accounts. For example, if you were to have the email zanidd@example.com, with the password “1-2-3-4-5-6” as your Facebook credential, but also as your credentials for, let’s say, Twitter, you could be a target for this attack. If Twitter gets hacked, and all passwords get dumped, an attacker can now enter into your Twitter account.
103.5
But not only that, because you’re using the same password and username on Facebook, an attacker can now try the pair, from Twitter, on Facebook and log in as you. One big problem here is that sysadmins cannot force users to have unique passwords for every platform. So in the worst case, an employee might be even using the same password and/or username that was already leaked or dumped. For example, in 2016, over 3 billion credentials have been dumped, and the number is constantly growing. The attack itself is also pretty straightforward. You first need to find the dump, and then use a tool, like Selenium, to make the logins with the list you just got.
152.8
After a while, you will have cracked some logins already - no hashing needed. So how do we solve this issue? Well, one is for sure - we can’t force the users to create a unique password for every platform, but we can do other things. We can force them to use a random number for every login instead, with something like multifactor authentication. The best option to remedy this issue is to use multifactor authentication. In fact, you can use something like MFAs or Google Authenticator, and similar apps. Some ebanking platforms even have a unique second factor.
200
For example, I have to enter my username and password, and then use a box where I have to put my card in, enter my pin, and then I get a code to enter for the login. If for some reason, MFA - or Multifactor Authentication - is not possible, we can also try to stop the attacker by using Captchas. This may not be as effective as MFA but still better than nothing. This will reduce the amount of attacks because they have to find a way to automate the “select a traffic light” thing from Google. We can also retroactively do something with IP blacklisting and checking for leaks. If we monitor suspicious activity from one IP, we can block that one.
253.6
We can also use the same method as the attackers to check if any company, employee, or user, has leaked passwords. We can run a tool that automates the process, and then automatically resets the leaked passwords. And that’s all about credential stuffing. In the next lesson, we’re going to take a look at a similar attack - password spraying. It’s similar to credential stuffing but works differently.

This video will define credential stuffing and explain how to prevent it from happening.

Remedies that will be presented include multifactor authentication (MFA), and CAPTCHA. We’ll also explore retroactive strategies which include checking for leaked passwords and blocking blacklisted IP addresses.

Investigate and share: Find and share an article that discusses the cost of credential stuffing for businesses. Share your thoughts on the article in the Comments section below.

This article is from the free online

Advanced Cyber Security Training: Hands-On Password Attacks

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education