The Open Web Application Security Project (OWASP), a non-profit that is dedicated to web application security, classifies credential stuffing as a subset of brute force attacks. However, in practice, the two types of cyber-attacks use very different methods to accomplish an account takeover and fraud.
To explore how credential stuffing attacks and brute force attacks differ, we need to understand what they are and how they operate. Here is a quick summary.
A brute force attack is a method used by hackers to crack the username and password of accounts through trial and error. Bad actors can use automated software to attempt as many guesses as possible with the goal to gain access to an account. This is done with the hope that they will eventually find the right combination. Brute force attacks are a numbers-game that relies on increasing probabilities. It would be unlikely for a hacker to gain access to the account on the first attempt, the second attempt, or even the third attempt, but with enough attempts it just might happen. Brute force attacks are often likened to “breaking the door down.” This is because they don’t rely on sophisticated and complex methods or even already known compromised credentials to gain access, but rather they try to force their way in by overwhelming the system with guesses.
That isn’t to say that there is no intelligence behind some brute force attack methods. Hackers will often use a list of common passwords and use the most common combinations first. There is some logic in this form of brute force attack, so you may see it referred to as a hybrid brute force attack. Another common method is a systematic approach at guessing that can be devoid of outside logic. In this scenario, hackers may just use a list of dictionary words or dictionary word combinations. This is called a dictionary attack.
An attacker will often know the username of the account they are trying to get into and try to brute force the password. However sometimes the attacker may not know the username conclusively, but have some confidence in estimating a username. This is most commonly seen when a hacker is attempting to breach an employee account for a company. Companies tend to use a pattern for their email addresses. For example, Jamal Harris might be email@example.com, Ines Martinez would be firstname.lastname@example.org, and so on. With these patterns, if the hackers know the CEO of the company is called Anika Ming, then hackers could make a confident guess at her username.
Reverse brute force attacks are the opposite of this; instead of using a lot of passwords against 1 username, they use 1 password against lots of usernames (this is also known as password spraying, or low and spray attacks). These attacks are less common because it can be difficult to attain a large list of usernames, but websites often don’t have the same measures in place to protect against these attacks when compared to traditional brute force attacks. In March 2019, tech giant Citrix became a victim of this type of attack.
Online accounts almost always have cybersecurity measures in place to prevent brute force attacks. For example, a hacker could use brute force to get into your Gmail account because after a few wrong username and password combinations, the website will ask you to perform a CAPTCHA. Most websites will have something like this in place, if not a CAPTCHA they may impose a time restriction before another login can be attempted, and some websites will use both.
While credential stuffing attacks are considered a subset of brute force attacks, they actually use a higher degree of intelligence in their method because they use bots or automated scripts to attack. This type of attack uses compromised credentials obtained from a data breach to attempt an account takeover (otherwise known as ATO). In this scenario, the hacker will have a database of credentials and personally identifiable information (PII) from a data breach. For example, a bad actor can obtain PII data online from a data breach of a large hotel chain’s customer database and then, use these credentials to gain access to an unrelated account such as a bank account. In May 2019, Boost Mobile disclosed a credential stuffing attack and if you run a google search on credential stuffing attacks, you can find thousands of victims in the last 3 years.
Credential stuffing attacks mainly rely on people having the same username and password combinations across their accounts in order to work. People will often use one email address for their accounts, and often people will use the same password because it’s easy to remember. This is why it is recommended that you have unique passwords for all of your accounts.
The success rate of credential stuffing attacks can be low, with some estimates putting it at around 0.1% to %1 depending on the security of the target organization. Like brute force attacks, it’s a numbers game. For example, if a credential stuffing attacks is taking place over time with 1,000,000 targets, that can equal 10,000 vulnerable accounts. Hackers will use lists of hundreds of thousands of credentials and an automated script in order to conduct the account takeover and even if they only successful a few times, they can successfully commit fraud.
The attacker will use the spilled usernames and passwords against a range of accounts, such as bank accounts, social media accounts, online marketplaces, crypto wallet accounts, and even loyalty or rewards program accounts. If they get into an account with funds, they will drain the account of funds or in the case of online marketplaces, may use your linked credit card to commit fraud. Even when an attacker only gains access to social media accounts, your data can still be highly valuable to them. Your personal information can be used in social engineering email or telephone scams in order to encourage you to give up access to your account under false pretenses, or can be used to gain access to your friends and family.
There are a variety of ways that organizations are attacked and there is a broad array of security products to mitigate these brute force and credential stuffing attacks. No single product is 100% reliable against all of the forms of attacks and most security experts recommend a layered approach of protection against the attacks.
Nevertheless, the most common threat vector to organizations are compromised user name and password combinations that get exposed in data breaches. The organization that has the data breach is vulnerable to nefarious activity. But the problem becomes worse because so many online users reuse passwords, bad actors are able to fraudulently access other accounts that use the same user name and password.
To help reduce both brute force attacks and credential stuffing attacks, organizations can opt to screen their user accounts for compromised credentials and then take appropriate action to degrade the threat.
If your organization is struggling with a lot of brute force attacks on your sites and systems, we would recommend checking our Password API to make sure that the user’s password isn’t part of a cracking dictionary. This is specifically what the NIST Password guidelines recommend (NIST 800-63b). The screening of the username and password combination isn’t sufficient, you also need to check against cracking dictionaries. Just because a user name and password combo have not been found on the dark web, doesn’t mean it safe. If the password is a common password or is frequently seen in cracking dictionaries, it is still vulnerable to a brute force attack. Brute force attacks are by definition offline attacks, so you need to defend against a lot of possible passwords. And that password needs to be checked an updated list daily, not just when the user sets it up.
If your organization is the victim of a lot of credential stuffing attacks, we would recommend checking our Credential API. You can get a free list of passwords online, but the free lists are usually limited in size and will need to be updated daily. Most teams do not have the staffing to support a daily update process. Because credential stuffing attacks are by definition online attacks, you can defend against them using specific compromised username and password combinations. Restricting users from using any password from a cracking dictionary (like the free lists) results in limiting your online users from selecting passwords that would otherwise be safe from an online attack. The user experience can be very frustrating if the passwords restrictions are too stringent and you risk user abandonment.