Credential stuffing: what it is and why you need to worry

Unpacking Bitcoin security
Martin Walshaw, Senior Engineer at F5 Networks
Martin Walshaw, Senior Engineer at F5 Networks.
Martin Walshaw, Senior Engineer at F5 Networks.

We’ve all heard about the myriad of security breaches over the past year, resulting in the exposure of billions of credentials and more. And while we’re likely all aware that those credentials being out in the wild on the black market is a threat, many may not understand exactly why.

The cause for concern lies in the combination of those breaches and poor security habits. This has given rise to a newish practice called “credential stuffing” and represents an existential threat to every organisation.

In 2016 alone we learned that more than a billion sets of credentials were exposed thanks to breaches. These credentials are personal accounts, for the most part, spread across “social media” sites like LinkedIn and Twitter.

Most people, when informed that they’ve been the victim of such a breach, rush out and change the impacted password. Good on them. That’s what they should do.

And what organisations should do, but likely don’t, in response to such a breach is require a change of corporate passwords.

A closer look at credential stuffing

Credential stuffing involves taking advantage of the vast pools of exposed credentials from breaches like those mentioned above to attempt to breach other systems like corporate systems, where the value of data and resources really adds up. Because of poor security habits – like reusing passwords and user identities – these attacks have a better chance at succeeding.

Really, they have a pretty good chance if you look at the statistics around password reuse. For example, back in 2012 one survey found that more than half of respondents (61%) admitted to reusing the same password for multiple sites. Fast forward to 2015 and that percentage has gotten worse. According to a new report, nearly three out of four consumers use duplicate passwords, many of which have not been changed in five years or more.

The more recent survey goes on to note that about 40% of those surveyed said they had a security incident during the past year, meaning they had an account hacked, password stolen, or were given notice that their personal information had been compromised. Not surprising in the least.

Bad habits enable further breaches

Bad actors know this. They know that circumventing security is as much about understanding the habits of consumers as much as it is technology. And by combining the two, they’re able to more effectively brute force their way into user accounts through web applications. They basically reuse credentials exposed by breaches instead of generating them algorithmically. Given the aforementioned statistics regarding the reuse by consumers, it’s got a fair chance of success.

So realistically what can you do about this problem? After all, you can’t really stop consumers – they’re also your employees – from reusing credentials or passwords.

First, make sure your developers and ops teams understand the threat. Start with OWASP, which is always a good place to begin when digging into the technical side of web app security.

Second, give serious consideration to forcing password changes after a significant breach of an external site which may be frequented by a large percentage of your employee population.

Lastly, check with your web application firewall vendor to see if there’s an automated protection you can put in place against such an attack.

Mostly, remain vigilant about enforcing secure password policies and regular changes. Users hate that (I know I’m not a fan) but increasingly one of the best protections you have against a breach is good credential management.

Stay safe out there!

By Martin Walshaw