Password compromise remains a primary method by which malicious actors gain access to applications, systems, and networks. Cyber criminals deploy a range of techniques to crack passwords, some of which are technical while others don’t require any technical skillset. This article defines and compares two of the most used password hacking techniques—credential-stuffing and brute-force attacks.
What is Credential Stuffing?
Credential stuffing is a password hacking technique in which threat actors attempt to breach a system using lists of compromised credentials. According to Salt Security’s definition of credential stuffing, this attack technique “exploits the tendency of users to reuse their credentials across multiple services and applications.”
It’s straightforward for pretty much anyone to find lists of compromised passwords online. Dark web forums contain many such lists from previous data breaches and system exploits. Threat actors can target a particular system or application with many login attempts using these lists of compromised user credentials.
To make the process more efficient, hackers automate credential stuffing attacks using bots. These bots can attempt logins from many IP addresses to avoid suspicion and getting blocked because of continually logging in from the same IP. Credential-stuffing attacks are particularly easy to disguise on systems or applications with large traffic flow volumes because it’s more difficult to spot login anomalies on such services.
Credential stuffing is a growing problem due to the sheer volume of stolen credentials available online. One published list of stolen credentials, Collection #1, included more than 2.7 billion email-password pairs. Threat actors can easily reuse these published credentials in a credential-stuffing attack and attempt to access a target system. Credential stuffing attacks have a low success rate – however, that doesn’t deter hackers because all it takes is one successful login to compromise a system.
What is a Brute-Force Password Attack?
A brute-force password attack is a trial and error method to guess user login credentials based on random strings, commonly used passwords and dictionaries of common password phrases. The hacker tries to test every possible combination to make up a password until they get the correct one. The nature of possible combinations is that as passwords increase in length, the time taken to guess the correct password grows exponentially.
Hackers get help in these endeavors from the many available free and paid tools that automate the process of conducting a brute-force attack.
Differences Between Credential-Stuffing and Brute-Force Attacks
- Credential-stuffing attacks use lists of previously compromised passwords as a clue or context for guessing the correct password, while brute-force hacks attempt to guess the password using trial and error without any prior context.
- Password length makes a difference in how long a brute-force attack takes, but it is not the time needed to conduct a successful credential-stuffing attack.
- Credential-stuffing attacks exploit the tendency to reuse passwords and usernames across different accounts, while brute-force attacks exploit easily guessable passwords that use common phrases or have just a few characters.
Tips to Prevent Password Attacks
Remind users to always use longer, more complex passwords with a mixture of symbols, letters, upper and lower cases. Long, complex passwords are far more time-consuming to crack using brute-force methods than people commonly use simple passwords.
Require multi-factor authentication (MFA) to verify users before granting access to systems and applications. Credential-stuffing or brute-force hacks are far less likely to succeed if MFA is in place.
Put an identity and access management policy in place that locks users out of their accounts after a certain number of login attempts.
Inform employees and users regularly about what good password hygiene looks like and highlight the dangers of reusing passwords across multiple systems.
Avoid using email addresses as usernames/user IDs because hackers can easily guess them.
Behavioral analytics can highlight login anomalies and block suspicious IP addresses from logging in to services on your network.
Closing Thoughts
If organizations don’t address the common flaws in their access controls and users remain unaware of what good password hygiene looks like, threat actors will continue to exploit compromised credentials and inflict potentially devastating consequences on businesses.
For Trainings and certification visit our website on www.thurity.com
Great information
Organizations really need to address common flaws in their access control.
Very informative and great write up.
We need more of such information!!!
Kee up the good work Thurity
Wow…the best write up I have seen
Very informative
Keep it up Thurity👍