Cybersecurity

The wrong stuff: Why attackers hope you reuse that password

‘Credential stuffing’ is a tactic that takes advantage of a user’s tendency to reuse the same username or password.
article cover

Francis Scialabba

3 min read

A report from the identity-management provider Okta revealed the popularity of a login attack called credential stuffing.

Not a side at IT Thanksgiving, “credential stuffing” is a persistent, frequently bot-driven tactic that takes advantage of a user’s tendency to reuse the same username and/or password over and over again. An attacker attempts logins with the already-compromised username and passwords, hoping that the captured credentials work across multiple sites, like a bank and a retailer.

Okta found a bunch of these attacks: 34% of the traffic on its Auth0 authentication platform, according to the company’s research, showed characteristics of credential stuffing, like bursts of failed logins.

The rise in credential stuffing revealed that bots are busier than ever, and we need a variety of defenses to counter the persistent attacks.

“Obviously, a lot of this is driven by bots. And so we really need to be thinking about what [we’re] doing in the observability space to help us also use that same intelligence to fight those bots off,” Jameeka Green Aaron, CISO at Okta, told IT Brew.

Bot, bot, pwn. Firing off a bunch of login attempts at once, from one location, would seem suspicious to a network administrator, so password stuffers are often careful to mask their IP addresses, take over machines, and appear to be coming from a variety of destinations, according to Duncan Greatwood, CEO at the cybersec platform provider Xage Security.

Website operators can monitor login activity and boot suspicious bursts of authentication failures, but bots often sneak by corporate defenses, according to Zach Capers, senior analyst at GetApp, an online resource for SaaS applications.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

“They're just trying once per account,” Capers said. “And if it doesn't work, they move on to the next account to see if it works there, and the next one and the next one.”

“The attackers are getting better and better at imitating human-like behavior,” Greatwood told IT Brew.

And speaking of human behavior: Humans like to reuse passwords. That goes for the information-technology crowd, too. A November 2021 survey from Bitwarden of 400+ IT professionals found that most (91%) use the same password across multiple sites.

How to slow down the bots

If you’re a user: Don’t reuse passwords, and do deploy multi-factor authentication, Steve Hulet, co-founder and CTO of Fresh Consulting, advised.

If you’re a website operator: In addition to MFA options, consider using a unique username or “guest checkout”instead of your email address so there's no credential to stuff, Capers suggested.

NIST (and Hulet and Capers) recommend comparing requested passwords with a list of known compromised passwords. Sites like “Have I Been Pwned,” for example, reveal millions of real-world passwords previously exposed in data breaches. And, of course, don’t let users go with compromised ones.

Layers of defense—including bot detection and adaptive authentication—can stuff the password stuffer, Greatwood said:

“Just like the attack is a numbers game, the protection is also a numbers game.”—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.