What is Credential Stuffing and Why Should I Care?

5/29/2019

You should know by now that using common passwords is a bad idea. And you may have heard of recent password breaches and that you should change passwords on breached sites. But there is an additional threat: credential stuffing.

sticky notes with basic passwords written on them

Whenever there is a breach where usernames or email addresses are disclosed and can be matched with passwords - either plaintext or easily discovered, an additional vulnerability is unleashed. Unfortunately, many people still use a single password on multiple sites. If all sites used complex hashing of the users' credentials, the risk would be lower. Unfortunately, usernames are often email addresses and those are seldom hashed.

When a site is breached, an attacker can use the disclosed usernames with previously-discovered passwords to try to attack a site. That is credential stuffing. Consider: a breach discloses a username and password for site A. A subsequent breach shows that same username for site B. Even if the password for B is not disclosed, an attacker could try the password from the A disclosure to see if worked at B.

Now imagine multi-site credential dumps such as the recently disclosed "Collection #1" and the one discovered at the end of 2017. Correlating these data can lead to attempts to stuff credentials for millions of users. If you use a particular password - no matter how strong - in two places, you are vulnerable to such an attack.

If I sound like a broken record telling people not to use a password in more than one place, it is because it is still a common practice.

We have tools to help us manage passwords so we can manage multiple, complex passwords. Both Bob Cromwell and I have discussed this in the past. I still promote this approach.

But the real solution is to look at the real vulnerability here: passwords. Passwords can be disclosed. They can be matched with usernames since the latter are seldom stored securely (which is a big reason credential stuffing is an issue). We have ways to make passwords single-use such as OPIE and repeated hashing. These methods are a "fix" implemented on top of a flawed infrastructure.

Instead of passwords, we need a good alternative. It could be two-factor authentication where a user has a token to add an unpredictable code to a password, two-step authentication where the user provides a password and is then asked to verify it by a code sent to a phone or one displayed in an app. Maybe the best solution is a biometric technique such as a fingerprint or face recognition: both are on smartphones today.

Most of us can't choose how the websites we use authenticate users. Passwords are a cheap and easy authentication solution. Some sites, though, are using techniques in addition to, or instead of passwords. Using those techniques, and good, unique passwords will help keep you protected from password spraying, credential stuffing, password guessing, and other attacks.

UPDATE: Shortly after writing this, an article on CNET came out describing an alternative for passwords when users use Android devices. That alternative uses biometrics and security keys.

Written by John McDermott

John McDermott, CPTD, started his work in computer security in 1981 when he caught an intruder in a system he was managing. In recent years his consulting has included security consulting for small businesses. He is Security+ and CCP certified. In his 30 years with Learning Tree John has written and taught courses in programming, networking and computer security. He is the co-author of Learning Tree’s course System and Network Security: A Comprehensive Introduction. John is currently a learning and development consultant in northern New Mexico. He lives in a house made of earth with his wife, who is an artist.