Enzoic Navigation
  • Solutions
    • Enzoic Account Takeover Protection
    • Enzoic for Active Directory
    • Enzoic Exposure Alerts
    • NIST Password Screening
  • FAQ
  • Resources
    • Submit a Support Ticket
    • Security Overview
    • API Documentation
  • Company
    • About Us
    • Careers
  • Blog
  • Contact Us
  • Free Trial
  • Solutions
    • Enzoic Account Takeover Protection
    • Enzoic for Active Directory
    • Enzoic Exposure Alerts
    • NIST Password Screening
  • FAQ
  • Resources
    • Submit a Support Ticket
    • Security Overview
    • API Documentation
  • Company
    • About Us
    • Careers
  • Blog
  • Contact Us
  • Free Trial
Credential Stuffing vs Brute Force Attacks

Credential Stuffing Attacks vs. Brute Force Attacks

The Open Web Application Security Project (OWASP), a non-profit that is dedicated to web application security, classifies credential stuffing as a subset of brute force attacks. However, in practice, the two types of cyber-attacks use very different methods to accomplish an account takeover and fraud.

To explore how credential stuffing attacks and brute force attacks differ, we need to understand what they are and how they operate. Here is a quick summary.

What Are Brute Force Attacks?

A brute force attack is a method used by hackers to crack the username and password of accounts through trial and error. Bad actors can use automated software to attempt as many guesses as possible with the goal to gain access to an account.  This is done with the hope that they will eventually find the right combination. Brute force attacks are a numbers-game that relies on increasing probabilities. It would be unlikely for a hacker to gain access to the account on the first attempt, the second attempt, or even the third attempt, but with enough attempts it just might happen. Brute force attacks are often likened to “breaking the door down.” This is because they don’t rely on sophisticated and complex methods or even already known compromised credentials to gain access, but rather they try to force their way in by overwhelming the system with guesses.

That isn’t to say that there is no intelligence behind some brute force attack methods. Hackers will often use a list of common passwords and use the most common combinations first. There is some logic in this form of brute force attack, so you may see it referred to as a hybrid brute force attack. Another common method is a systematic approach at guessing that can be devoid of outside logic. In this scenario, hackers may just use a list of dictionary words or dictionary word combinations. This is called a dictionary attack.

An attacker will often know the username of the account they are trying to get into and try to brute force the password. However sometimes the attacker may not know the username conclusively, but have some confidence in estimating a username. This is most commonly seen when a hacker is attempting to breach an employee account for a company. Companies tend to use a pattern for their email addresses.  For example, Jamal Harris might be jharris@company.com, Ines Martinez would be imartinez@company.com, and so on. With these patterns, if the hackers know the CEO of the company is called Anika Ming, then hackers could make a confident guess at her username.

Reverse brute force attacks are the opposite of this; instead of using a lot of passwords against 1 username, they use 1 password against lots of usernames (this is also known as password spraying, or low and spray attacks). These attacks are less common because it can be difficult to attain a large list of usernames, but websites often don’t have the same measures in place to protect against these attacks when compared to traditional brute force attacks. In March 2019, tech giant Citrix became a victim of this type of attack.

Online accounts almost always have cybersecurity measures in place to prevent brute force attacks. For example, a hacker could use brute force to get into your Gmail account because after a few wrong username and password combinations, the website will ask you to perform a CAPTCHA. Most websites will have something like this in place, if not a CAPTCHA they may impose a time restriction before another login can be attempted, and some websites will use both.

Credential Stuffing Attacks

While credential stuffing attacks are considered a subset of brute force attacks, they actually use a higher degree of intelligence in their method because they use bots or automated scripts to attack. This type of attack uses compromised credentials obtained from a data breach to attempt an account takeover (otherwise known as ATO). In this scenario, the hacker will have a database of credentials and personally identifiable information (PII) from a data breach.  For example, a bad actor can obtain PII data online from a data breach of a large hotel chain’s customer database and then, use these credentials to gain access to an unrelated account such as a bank account.  In May 2019, Boost Mobile disclosed a credential stuffing attack and if you run a google search on credential stuffing attacks, you can find thousands of victims in the last 3 years.   

Credential stuffing attacks mainly rely on people having the same username and password combinations across their accounts in order to work. People will often use one email address for their accounts, and often people will use the same password because it’s easy to remember. This is why it is recommended that you have unique passwords for all of your accounts.

The success rate of credential stuffing attacks can be low, with some estimates putting it at around 0.1% to %1 depending on the security of the target organization. Like brute force attacks, it’s a numbers game.  For example, if a credential stuffing attacks is taking place over time with 1,000,000 targets, that can equal 10,000 vulnerable accounts. Hackers will use lists of hundreds of thousands of credentials and an automated script in order to conduct the account takeover and even if they only successful a few times, they can successfully commit fraud.  

The attacker will use the spilled usernames and passwords against a range of accounts, such as bank accounts, social media accounts, online marketplaces, crypto wallet accounts, and even loyalty or rewards program accounts. If they get into an account with funds, they will drain the account of funds or in the case of online marketplaces, may use your linked credit card to commit fraud. Even when an attacker only gains access to social media accounts, your data can still be highly valuable to them. Your personal information can be used in social engineering email or telephone scams in order to encourage you to give up access to your account under false pretenses, or can be used to gain access to your friends and family.   

How to Handle These Types of Attacks

There are a variety of ways that organizations are attacked and there is a broad array of security products to mitigate these brute force and credential stuffing attacks.  No single product is 100% reliable against all of the forms of attacks and most security experts recommend a layered approach of protection against the attacks. 

Nevertheless, the most common threat vector to organizations are compromised user name and password combinations that get exposed in data breaches.  The organization that has the data breach is vulnerable to nefarious activity. But the problem becomes worse because so many online users reuse passwords, bad actors are able to fraudulently access other accounts that use the same user name and password.

To help reduce both brute force attacks and credential stuffing attacks, organizations can opt to screen their user accounts for compromised credentials and then take appropriate action to degrade the threat.  

Enzoic Can Help with These Attacks

If your organization is struggling with a lot of brute force attacks on your sites and systems, we would recommend checking our Password API to make sure that the user’s password isn’t part of a cracking dictionary.  This is specifically what the NIST Password guidelines recommend (NIST 800-63b).  The screening of the username and password combination isn’t sufficient, you also need to check against cracking dictionaries.  Just because a user name and password combo have not been found on the dark web, doesn’t mean it safe.  If the password is a common password or is frequently seen in cracking dictionaries, it is still vulnerable to a brute force attack. Brute force attacks are by definition offline attacks, so you need to defend against a lot of possible passwords. And that password needs to be checked an updated list daily, not just when the user sets it up. 

If your organization is the victim of a lot of credential stuffing attacks, we would recommend checking our Credential API. You can get a free list of passwords online, but the free lists are usually limited in size and will need to be updated daily. Most teams do not have the staffing to support a daily update process.  Because credential stuffing attacks are by definition online attacks, you can defend against them using specific compromised username and password combinations. Restricting users from using any password from a cracking dictionary (like the free lists) results in limiting your online users from selecting passwords that would otherwise be safe from an online attack. The user experience can be very frustrating if the passwords restrictions are too stringent and you risk user abandonment.

Account TakeoverBrute Force AttackCredential Stuffing

Search

Browse blog categories

  • all posts (23)
  • breach (3)
  • cybersecurity (12)
  • Edtech (1)
  • Law Firms (1)
  • NIST 800-63b (1)
  • press release (3)
  • tips (7)

Recent tweets

Enzoic
9h
Enzoic
@EnzoicSecurity

USPTO Failing on Cyber Hygiene for Active Directory, IG Finds: meritalk.com/articles/uspto… #InfoSec

Expand reply reply retweet retweet favorite favorite
Enzoic
18h
Enzoic
@EnzoicSecurity

Evite e-invite website admits security breach: zdnet.com/article/evite-…

Expand reply reply retweet retweet favorite favorite
Enzoic
18 Jun
Enzoic
@EnzoicSecurity

Eliminating Password Reuse To Prevent Account Takeover Fraud: Protecting consumers from themselves is the organization’s responsibility. If the organization doesn't do it, they will be responsible for covering the consumer's losses. enzoic.com/intuitive-ato-…

Expand reply reply retweet retweet favorite favorite
Enzoic
17 Jun
Enzoic
@EnzoicSecurity

Data breaches are a "time bomb" under companies that let customer information go astray, warns a security expert. zurl.co/6FJa

Expand reply reply retweet retweet favorite favorite
Enzoic
16 Jun
Enzoic
@EnzoicSecurity

API Security Vulnerabilities: A Crack in the Foundation of Digital Business: infosecurity-magazine.com/opi…

Expand reply reply retweet retweet favorite favorite

Stay up to date

Research, news, and more right to your inbox

More

  • Learning about strong, but unsafe passwords
  • What is a credential stuffing attack?
  • What is account takeover (ATO) fraud?
  • Eliminating password reuse to prevent ATO fraud
  • Password Strength Meter (Free)
  • Developer Documentation (APIs)

Recent blog posts

  • Enzoic Part of Enterprise Security Magazine’s Top 10 Identity and Access Management Solution Providers for 2019
  • Eliminating the Burden of Periodic Password Reset
  • Credential Stuffing Attacks vs. Brute Force Attacks
  • A Guide to Law Firm Cybersecurity Risks & Ethical Compliance
  • [ Free Trial ]
  • Contact Us
  • 1-720-773-4515

Enzoic ©2019 | Privacy Policy | Acceptable Use

More Information
This site is for EDUCATIONAL PURPOSES ONLY. Your password will be sent securely to the Enzoic servers to check if it is compromised. We do not store your password or use it for any other purpose. If you are not comfortable with this, do not enter your real password.
What is this?

Password Check is a free tool that lets you determine not just the strength of a password (how complex it is), but also whether it is known to be compromised. Billions of user passwords have been exposed by hackers on the web and dark web over the years and as a result they are no longer safe to use. So even if your password is very long and complex, and thus very strong, it may still be a bad choice if it appears on this list of compromised passwords. This is what the Password Check tool was designed to tell you and why it is superior to traditional password strength estimators you may find elsewhere on the web.

Why is it needed?

If you are using one of these compromised passwords, it puts you at additional risk, especially if you are using the same password on every site you visit. Cybercriminals rely on the fact that most people reuse the same login credentials on multiple sites.

Why is this secure?

This page, and indeed our entire business, exists to help make passwords more secure, not less. While no Internet-connected system can be guaranteed to be impregnable, we keep the risks to an absolute minimum and firmly believe that the risk of unknowingly using compromised passwords is far greater. Since our database of compromised passwords is far larger than what could be downloaded to the browser, the compromised password check we perform must occur server-side. Thus, it is necessary for us to submit a hashed version of your password to our server. To protect this data from eavesdropping, it is submitted over an SSL connection. The data we pass to our server consists of three unsalted hashes of your password, using the MD5, SHA1, and SHA256 algorithms. While unsalted hashes, especially ones using MD5 and SHA1, are NOT a secure way to store passwords, in this case that isn’t their purpose – SSL is securing the transmitted content, not the hashes. Many of the passwords we find on the web are not plaintext; they are unsalted hashes of the passwords. Since we’re not in the business of cracking password hashes, we need these hashes submitted for more comprehensive lookups. We do not store any of the submitted data. It is not persisted in log files and is kept in memory only long enough to perform the lookup, after which the memory is zeroed out. Our server-side infrastructure is hardened against infiltration using industry standard tools and techniques and is routinely tested and reviewed for soundness.

More…
  • Visit our FAQ to learn more
  • Contact us for press or sales inquiries
  • Add a free password strength meter to your website
test

test

Why is this secure?

This page, and indeed our entire business, exists to help make passwords more secure, not less. While no Internet-connected system can be guaranteed to be impregnable, we keep the risks to an absolute minimum and firmly believe that the risk of unknowingly using compromised passwords is far greater.

Since our database of compromised passwords is far larger than what could be downloaded to the browser, the compromised password check we perform must occur server-side. Thus, it is necessary for us to submit a hashed version of your password to our server. To protect this data from eavesdropping, it is submitted over an SSL connection. The data we pass to our server consists of three unsalted hashes of your password, using the MD5, SHA1, and SHA256 algorithms. While unsalted hashes, especially ones using MD5 and SHA1, are NOT a secure way to store passwords, in this case that isn’t their purpose – SSL is securing the transmitted content, not the hashes. Many of the passwords we find on the web are not plaintext; they are unsalted hashes of the passwords. Since we’re not in the business of cracking password hashes, we need these hashes submitted for more comprehensive lookups. We do not store any of the submitted data. It is not persisted in log files and is kept in memory only long enough to perform the lookup, after which the memory is zeroed out. Our server-side infrastructure is hardened against infiltration using industry standard tools and techniques and is routinely tested and reviewed for soundness.