Skip main navigation

New offer! Get 30% off your first 2 months of Unlimited Monthly. Start your subscription for just £35.99 £24.99. New subscribers only T&Cs apply

Find out more

Credential Stuffing

In this video, Zanidd will explain how password spraying works and presents remedies to prevent it from happening.
Hello, world. I’m Zanidd and welcome to the Hands On Password Cracking and Security course on Code Red. In this section, we will cover the downsides of passwords, and miscellaneous vulnerabilities, and the misuse of passwords. We will also take a brief look at alternatives to passwords. In this lesson, we will discuss what credential stuffing is. We will also see how this has influenced companies in the real world, and how you can prevent this from happening to you or your company. So, what even is credential stuffing? Credential stuffing is a subcategory of brute force attacks. It doesn’t require hashing algorithms, but instead tries a list of commonly used username and password pairs.
This is possible because most users use the same password and username for every application they use. So once a company gets hacked, and the username/password pairs dumped in plain text somewhere, an attacker can use those pairs to hack into other accounts. For example, if you were to have the email, with the password “1-2-3-4-5-6” as your Facebook credential, but also as your credentials for, let’s say, Twitter, you could be a target for this attack. If Twitter gets hacked, and all passwords get dumped, an attacker can now enter into your Twitter account.
But not only that, because you’re using the same password and username on Facebook, an attacker can now try the pair, from Twitter, on Facebook and log in as you. One big problem here is that sysadmins cannot force users to have unique passwords for every platform. So in the worst case, an employee might be even using the same password and/or username that was already leaked or dumped. For example, in 2016, over 3 billion credentials have been dumped, and the number is constantly growing. The attack itself is also pretty straightforward. You first need to find the dump, and then use a tool, like Selenium, to make the logins with the list you just got.
After a while, you will have cracked some logins already - no hashing needed. So how do we solve this issue? Well, one is for sure - we can’t force the users to create a unique password for every platform, but we can do other things. We can force them to use a random number for every login instead, with something like multifactor authentication. The best option to remedy this issue is to use multifactor authentication. In fact, you can use something like MFAs or Google Authenticator, and similar apps. Some ebanking platforms even have a unique second factor.
For example, I have to enter my username and password, and then use a box where I have to put my card in, enter my pin, and then I get a code to enter for the login. If for some reason, MFA - or Multifactor Authentication - is not possible, we can also try to stop the attacker by using Captchas. This may not be as effective as MFA but still better than nothing. This will reduce the amount of attacks because they have to find a way to automate the “select a traffic light” thing from Google. We can also retroactively do something with IP blacklisting and checking for leaks. If we monitor suspicious activity from one IP, we can block that one.
We can also use the same method as the attackers to check if any company, employee, or user, has leaked passwords. We can run a tool that automates the process, and then automatically resets the leaked passwords. And that’s all about credential stuffing. In the next lesson, we’re going to take a look at a similar attack - password spraying. It’s similar to credential stuffing but works differently.

This video will define credential stuffing and explain how to prevent it from happening.

Remedies that will be presented include multifactor authentication (MFA), and CAPTCHA. We’ll also explore retroactive strategies which include checking for leaked passwords and blocking blacklisted IP addresses.

Investigate and share: Find and share an article that discusses the cost of credential stuffing for businesses. Share your thoughts on the article in the Comments section below.

This article is from the free online

Advanced Cyber Security Training: Hands-On Password Attacks

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now