Credential Stuffing 101
Maybe you’ve experienced it. It’s very likely that you’ve, at least, heard about it.
Cybercriminals are taking over online accounts and organizational systems at a rapid pace. So, why is that happening? Simply put: Hackers are credential stuffing.
Credential stuffing is a subset of brute-force password attacks.
Cybercriminals take a mass amount of usernames and passwords and “stuff” them into login pages as a means to take over accounts. And, because people often use the same credentials for, let’s face it, almost everything, hackers often use that information to unlock several accounts.
The method is similar to password spraying, which uses a list of common passwords in combination with a single username.
Credential stuffing works because users keep reusing their passwords. Despite its simplicity, credential attacks continue to plague organizations that don’t take basic steps to counter them.
Notable Companies Who Were "Credential Stuffed"
As with most cyber attacks, credential stuffing regularly impacts businesses of all sizes.
In 2019, the launch of Disney+ suffered slowdowns from thousands of streaming accounts that were believed to have been compromised by credential stuffing attacks. Then, in August of the same year, the Department of Homeland Security warned that Iranian hackers favor password attacks, such as password spraying and credentials stuffing.
More recently, on Aug. 15, 2020, 9,041 users of the Canadian GCKey system had their credentials compromised by a credential stuffing attack.
These attacks keep coming because they keep working.
“Akamai reported 61 billion credential stuffing attacks over the 18 month period between January 2018 and June 2019.”
What Are The Consequences?
As you might expect, when an attacker finds a valid set of credentials that stick, he/she often gains full access to that account.
Those compromised IDs may be used to steal user information and/or to access secure devices and networks. What’s more is that the constant login attempts create lag on your company’s infrastructure.
Last September, Akamai reported 61 billion credential stuffing attacks over the 18 month period between January 2018 and June 2019. That compliments another Akamai report released in April 2019, which estimated that 43% of all global login requests were malicious.
Researchers estimate that over 8 billion email addresses and 555 million passwords are available to attackers through a variety of breaches. While many of these breaches primarily expose consumer accounts, millions of professional usernames & password pairs were exposed in breaches, mostly notably on LinkedIn.
Cyber breaches that use stolen credentials can bypass even the best cybersecurity methods. It also exposes organizations to secondary losses, such as reputation damage and shareholder lawsuits.
Fortunately, there are many available, affordable options designed to counter the effectiveness of credential stuffing.
Option 1: Create a Strong Password Policy
The easiest way to prevent credential stuffing is to stop reusing passwords.
In order to do this effectively, you’ll need to create a company policy that requires unique passwords, and that keeps team members from using their corporate credentials elsewhere. While policy is impossible to enforce outside of the domain or with customers, you can use password management options in software systems such as Active Directory, while equivalent services apply those policies internally.
Another approach to try is to directly create and issue credentials to your team members. It’s a low-cost, high-reward method, and you’ll be in full control. However, with users managing an average of 190 passwords, this autocratic method will likely increase complaints, lost or forgotten passwords, and help-desk call volume.
All of that can put quite a strain on your IT department. Additionally, you’ll be in charge of monitoring password strength.
Another approach is to require password changes that don’t allow team members to reuse passwords.
This is a solid method, but you’ll want to make sure that users avoid easy-to-guess-patterns, and that they don’t or keep those passwords in a desktop file or on a post-it note.
The NIST recommends using passphrases up to 64 characters in length, and only changing them if a breach is suspected.
So, how do you know if the passphrases are good or have been breached? First, if your company suffered an attack that compromised any admin credentials or user directory, you’ll need to assume a more widespread compromise and change all local user credentials.
Second, you can test passwords. Blue Bastion offers red teaming, a breach simulation method designed to detect easy-to-crack or exposed credentials.
Option 2: Multifactor Authentication
If you’re willing to invest in improved security, multi-factor authentication provides a more comprehensive solution.
With this method, even with the correct credentials, hackers will also need to provide additional information, whether it’s a code via text, a phone call, or by answering security questions.
When attackers recognize their methods require multi-factor authentication, they will move their credential stuffing bots on to easier targets.
Another major benefit is that it will discourage attackers from consuming server bandwidth.
We often incorporate multi-factor authentication into our recommendations because it works. But, don’t just take our word for it.
Last year, Google determined that even a simple text message code prevented 100% of automated bot attacks and up to 96% of phishing attacks.
Bringing It All Together
Until usernames and passwords are replaced as the cornerstone of our access security, we’ll have to depend on fallible users to keep their credentials safe and secure.
However, instead of passively hoping, you can assist your team by applying simple solutions in order to actively prevent many different types of breaches.
At Ideal Integrations, it’s our goal to make those solutions easier for you. We create effective credential plans designed to work specifically for your company’s safety and security. And, we’ll actively manage your network, 24/7/365, so you’ll always be ahead of any IT issues or possible breaches along the way.
Ready to get started? We’re here to help you maximize your return on IT. Complete the form below for a risk-free consultation, or call us as 412-349-6680 today!