Protecting yourself against credential stuffing
Learn about protecting yourself against credential stuffing by using password managers and MFA, OWASP, their Top 10 list, and web application security.
Jun 08, 2023 • 4 Minute Read
In this post, we'll talk about protecting yourself against credential stuffing by using password managers and MFA. Plus, OWASP, their Top 10 list, and web application security.
Accelerate your career
Get started with ACG and transform your career with courses and real hands-on labs in AWS, Microsoft Azure, Google Cloud, and beyond.
We've all seen it. It feels like every week there's a news story about credentials or personally identifiable information being leaked.
In response to these attacks, organizations have implemented a variety of security measures, including Web Application Firewalls (WAF) to block attacks and large Security Operations teams to monitor for attacks. Although these measures are great defensive measures against web application attacks, many end user credentials are still being compromised and unauthorized user account access continues to be an issue.
So, the question remains: How can end users better protect themselves even after their credentials are stolen?
Let's take a look at the attacks that cause web application credential compromises and the ways you (the end user) can protect yourself against them.
What is credential stuffing?
The practice of credential stuffing is a technique used by hackers to take over legitimate user accounts by using stolen credentials.
This attack basically consists of obtaining stolen credentials, typically from criminal sources or a recent breach, and attempting to login with the stolen credentials on a range of websites. This automated attack is so successful because people often reuse the same credentials for multiple websites.
The obvious solution is to use different passwords for every website . . . but remembering all those passwords is a challenging task. However, there is a solution called a “password manager” that stores all your passwords in an encrypted vault.
This vault can be accessed to retrieve passwords in a quick and easy fashion while protecting you from password reuse.
Password managers effectively lowers the risk of credential stuffing so that one compromised website account does not lead to other accounts being compromised with stolen credentials.
Multi-factor authentication (MFA)
In addition to password managers, many websites now offer the use of Multi-Factor Authentication (MFA). This means that users must authenticate using two forms of authentication in order to log into their user account.
- The first form of authentication is “something you know” which is often a username and password.
- The second form of authentication is typically a SMS text message which is considered to be “something you have” since you have to have physical access to a mobile device in order to receive the second form of authentication.
- “Something you are,” would be a biometric form of authentication like a fingerprint or facial scan.
Using MFA reduces the likelihood of account compromise since a remote hacker is highly unlikely to have access to the mobile device or fingerprint required for authentication.
Web application security
With these solutions users are able to better secure their online accounts and prevent unauthorized access to those accounts. However, this is only the tip of the iceberg in terms of web application security (or web app sec).
The Open Web Application Security Project (OWASP) is a non-profit foundation dedicated to researching the topic of web application security issues and leading projects that address these issues.
The OWASP Top 10 project covers some of the most important security risks related to web applications and gives an in-depth analysis on attacks like cross-site scripting and injection. These attacks are leveraged by hackers to compromise web application databases and obtain user credentials for the credential stuffing attacks we discussed.
Learn more about web application security
Want a better understanding of web application security? Whether you're interested in learning how hackers perform these attacks, or want to learn more about defending against these attacks, our Introduction to OWASP Top 10 Security Risks course addresses both aspects. There's also a hands-on lab to practice web application hacking and take your skills to the next level.