Open In App

Credential Stuffing in Ethical Hacking

Last Updated : 21 Jul, 2022
Improve
Improve
Like Article
Like
Save
Share
Report

Credential Stuffing is a cyberattack in which the attacker uses the list of credentials that are publicly available and then breaks into the system with various types of custom bots and other automation along with IP spoofing to prevent getting blocked. 

IP Spoofing

 

But as per the reports, only a small fraction of attacks that are carried out result in successful account takeover.

Working of Credential Stuffing:

Generally, the attackers create automated tools like Bots that fetch the credentials from the dictionary of leaked credentials during data breaches and attempt to parallelly log into accounts to get access to web applications while spoofing the IP addresses, so they don’t get blocked by the system because of multiple failed attempts. After the attacker breaks into the system, he intends to obtain personal information, credit card details, or other data that may be private to the user or an organization.

How is Credential Stuffing different from Brute Force:

Credential Stuffing and Brute force are a lot similar, but there are some differences in both methods. 

  • Usually, during a Brute force attack, the attacker tries to guess the credential with no prior context or information regarding the victim using random strings, everyday phrases, common passwords, or a list of commonly used passwords and tries various permutations of them.
  • This attack is a success only and only if the victim has a weak, simple, and guessable password. As the attacker has no prior information regarding the victim, the rate of success is pretty low in the Brute force attack.

Counter-Measures:

The following points should be kept in mind to prevent Credential Stuffing Attacks:

  • Make sure the usernames and passwords are not reused across all the platforms, and the username should not be the same as that of the email address.
  • Using Multi-Factor-Authentication reduces the chances of Account Hijacking, even if the passwords are compromised.
  • Regularly change passwords in case it is compromised, or the services are under a data breach.
  • Check whether your credentials were ever involved in data breaches like haveibeenpwned.
  • Regularly monitor your account for unusual activity.

For Web Application Users:

  • Make sure the user’s passwords are not stored in plain text form and are encrypted properly.
  • Using Captcha to prevent bots from attempting to log in.
  • Blocking/Banning IPS with suspicious traffic.
  • Limiting continuous log-in attempts.

Like Article
Suggest improvement
Previous
What is Password Guessing Attack?
Next
Reverse Brute Force Attack in System Hacking
Share your thoughts in the comments

Similar Reads

What is System Hacking in Ethical Hacking?
How To Multiple IP Addresses Work in Ethical Hacking?
Top 50 Ethical Hacking Interview Questions and Answers
Remote Access in Ethical Hacking
What is Heartbleed Bug in Ethical Hacking ?
Port Scan in Ethical Hacking
What is User Privileges in Ethical Hacking ?
What is Hybrid Cryptosystem in Ethical Hacking?
User Enumeration in Ethical Hacking
ARIN in Ethical Hacking

H
harshmaster07705
Article Tags :
We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy
Lightbox