Gene's Field Notes
A grid of padlocks with one identical key trying each one, illustrating how attackers reuse stolen username and password pairs to break into multiple accounts at once.
← All Posts
securitydata-privacy

How to Protect Yourself From Credential Stuffing Attacks

Reusing passwords across accounts is one of the most common ways attackers gain access. Learn what credential stuffing is, how attackers use it, and the practical steps to protect yourself and your users.

Gene WrightGene WrightNovember 1, 20228 min read

If you’ve heard it once you’ve heard it a million times, “don’t use the same passwords on multiple accounts.” But why? What’s the harm? This week we're going to take a look at credential stuffing attacks. If you use the same password on multiple accounts (and really who doesn't) or if you are running a website that has a login screen, then you should read this week’s newsletter to get some ideas on ways to protect your personal accounts and the user accounts on your site.

What is a credential stuffing attack?

A credential stuffing attack is where an attacker uses a known set of credentials to gain access to other sites and applications; usually your financial accounts. These types of attacks are relatively new but have become serious enough for the FBI to issue a private industry notification about them.

To begin a credential stuffing campaign, an attacker first steals a set of credentials. This could be one through their own attacks but most likely from a previous large public data breach. For example, they may take a set of credentials exposed in one of the many Facebook data breaches and try to use them to access banking sites. If your credentials were exposed in one the Facebook data breaches and you use that same username and password to access any other accounts then those could be compromised as well.

How to prevent yourself from falling victim to a credential stuffing attack

There are a couple things you can do to prevent your individual accounts from being exploited by these types of attacks.

Don’t Use The Same Password Twice

By reducing the number of accounts that use the same password you reduce the number of your accounts that can be compromised if the password is ever discovered. Now, I know what you’re thinking, "Yeah, Gene that sounds good, but you don’t realize how many accounts I have?” Well, a small study conducted by digital guardian a few months ago found that the average person has over 130 different accounts. By that standard, I am an extreme over achiever with 496 different accounts at the time of the writing of this article. So, yes I absolutely do understand the gravity of what I’m suggesting. But, I also have a solution. Find yourself a password management tool. A password management tool will allow you to change your passwords, make them complex, and not have to worry about remembering every single one of them. In addition, good password managers can tell you if you’ve used the same password more than once and also alert you to credentials you haven't changed in a while. Let me know if you want me to provide some password manager suggestions.

Enable Two-Factor Authentication (2FA)

Enable two-factor authentication on as many accounts as possible. In doing this, you prevent your accounts from being accessed even if your password is compromised. With two- factor authentication enabled, a potential attacker would not be able to access your account with just the password alone.

Change Your Password Routinely

The third thing you can do to prevent becoming a victim to credential stuffing attacks is changing your passwords at least once a year. By doing this, if your password is compromised in a data breach you reduce the length of time your account is vulnerable to the attack. Again you can use a password manager tool to keep track of this for you.

Use it or Lose it

Why keep accounts around that you don't use? Get rid of accounts that you’ve forgotten about. MySpace or AOL, anyone? I’ll bring this up again in the last newsletter for the year. Again, a good password management tool can also track this for you as well.

How can you find out if you're at risk or have been exposed?

Let's talk about how to figure out if your credentials have already been exposed. There are several websites that track security breaches and catalog details about impacted individuals. I like to use haveibeenpwned. You can search these databases to find out if your credentials have been compromised. They will show you which data breach(es) caused the exposure and what types of data were exposed. For business owners, you can also use some of these databases to search for all accounts associated with your domain. You can set up a security email alias that will receive a report anytime any of the credentials used by your employees have been compromised. You can then use that information to make sure that employees affected by a recent security breach change their password and keep an eye on any suspicious activity that may originate from their account.

If you do find that one of your accounts has been compromised, immediately change the password of the impacted account and any other account that uses the same password. Then, follow some or all of the recommendations for preventing credential stuffing attacks discussed earlier in this article.

How can you protect your website from credential stuffing attacks?

We’ve talked about how you can protect your accounts from being compromised by credential stuffing attacks, now we're going to focus on what you can do to your website to prevent attackers from gaining access to your site using credential stuffing attacks.

Because the options for web hosting out there are endless, and I actually want to be able to provide actionable recommendations for business owners, I'm going to assume you’re using Wordpress. Since 35% of the entire internet runs on WordPress I think these recommendations should work for a lot of you.

Offer two-factor authentication option

Offering your users the option to enable two-factor authentication gives them the same protections as we discussed above. In WordPress it's actually not that difficult to enable two factor authentication options on your site. Here are two plugins that I would recommend trying out to add this capability to your site.

Two Factor Authentication - this plugin makes it easy to set up two factor authentication, it’s updated frequently, and it’s free. What more could you ask for?

Jetpack By Automattic - This plugin is maintained by the same company that runs wordpress.org It has all the security goodness you could ask for including 2FA, but it is not free.

Set Up Social Logins

If you've ever been to a website where you don't actually have to set up credentials instead you can use your Facebook or your Gmail account to set up an account and login. These are called social logins. The advantage of this for website owners is that you transfer the risk and responsibility of fighting credential stuffing and all other authentication vulnerabilities to larger social media platforms.

Nextend Social login - Most of what you need is available in the free version, but there is a pro version that extends the list of social network login platforms available to you.

Social Login - This is a reputable plugin option that lets visitors log in, register, and comment on your site through dozens of possible social networks. It cleanly fits into your WordPress login process, so users can provide and remove their social network accounts when desired.

Hardened your password policy

WordPress does not have the ability to set a password policy by default. But just like everything else in wordpress, there are plugins that you can use to get this functionality. If you follow the recommendations above, this one really isn’t necessary, but I’ll include it for the stubborn people, just in case.

If you choose to go this route, there are a few features you want to be sure the plugin has.

  1. On password creation, checking that users aren't entering a password that have already been exposed in a data breach
  2. The ability to set and control the following password aspects:
    • minimum password length
    • Maximum time before a password can be can be reused
    • Password complexity
    • Password expiration
    • Number of password retries before lockout

Password Policy Manager for WordPress - TheWP WhiteSecurity team have built a very solid product. It’s not free, but if you’re going this route, the peace of mind alone is worth the price.

I haven’t yet found another plugin that I would feel comfortable recommending, but if I do find another good one, I’ll let you know.

Summary

Credential Stuffing is quickly becoming a serious threat. You can greatly reduce its effectiveness of compromising your accounts by incorporating the recommendations I’ve laid out here. These recommendations should keep you one step ahead of the attackers looking for easy targets. At the very minimum start moving your account into a password manager and check to see if any of your accounts have been compromised in a large data breach using a site like haveibeenpwned.

Stay in the loop

2-3 field notes a month on cloud security, AI governance, and what's actually happening in regulated environments. No roundups, no filler.

Work with me

I take on a limited number of consulting engagements: cloud security architecture, security posture assessments, and compliance readiness for teams moving fast in regulated environments.

Learn more →
← All Posts

More Posts