Recently, a cybersecurity researcher discovered dozens of text files stored on an unsecured web server. While this discovery may seem routine within the context of data breaches making the headlines on a daily basis, the data the researcher unearthed sent shockwaves through the information security community. Stored in those text files was over 711 million unique usernames and passwords, making it the largest batch of data ever entered into the breach notification website haveibeenpwned.com.
The issue with this find is that a large quantity of valid user logins increases the effectiveness of password attacks launched by software programs. Leveraging a technique dubbed “credential stuffing,” hackers have a higher success rate of breaking into networks due to the validity of the passwords in their arsenal. So, what is “credential stuffing,” how do hackers leverage this attack, and why should this raise alarm bells for organizations?
What Is Credential Stuffing and Why Should Organizations Mitigate This Risk?
Credential stuffing is an automated password attack that leverages a list of compromised usernames and passwords to gain unauthorized access to systems. As passwords remain the de facto authentication mechanism we use to access online services, they are effectively the weakest link in security.
The problem with passwords is that people adopt poor practices when it comes to securing these vital links in the security chain. They choose passwords that are commonly used or easy to guess. However, the poor practice that credential stuffing leverages is the fact that many people reuse the same password across multiple systems. If a hacker can obtain a treasure trove of login credentials, such as those found on the server in the Netherlands, they can use that list to compromise other sites and services.
Credential stuffing is an effective automated attack because people reuse passwords. If your super secure 15-character password that contains upper- and lower-case characters, numbers, and symbols is compromised on one system, a hacker can reuse it to gain access to another service. It is even successful against systems that enforce complexity, a measure put in place by system administrators to strengthen password security.
What is most alarming about the 711 million stolen login credentials is that password reuse is a widespread practice. According to the 2018 Global Password Security Report by LogMeIn, 50% of people do not create different passwords for personal and work accounts. This statistic illustrates the risk credential stuffing poses to organizations. The probability of a hacker successfully compromising an enterprise using credential stuffing is higher than other forms of automated brute-force password attacks. In 2017, a study found that the success rate for this type of attack ranged between 0.1 and 2%. However, since then there have been multiple data breaches, including the recent discovery of the 711 million unique login credentials. Assuming people’s’ habits do not change, this means the success rate for a credential stuffing attack in 2019 could be higher.
Mitigating the Risk of Credential Stuffing
Organizations that want to implement measures to minimize the risk of credential stuffing have two choices. They either need to make sure their users follow good practice using a unique password for every service, or they need to implement multi-factor authentication.
The problem with relying on users to follow good password practices is that it is impossible to enforce and monitor. There is no way to determine if a user has reused their password on a private service they access outside their working environment.
The other problem is basic human nature. With the average business user needing to keep track of 191 passwords, the likelihood that some individuals will reuse passwords across multiple systems is high.
Organizations that want to protect against a credential stuffing attack must implement multi-factor authentication. By requiring a user to submit an additional verification factor like a One Time Pin in addition to their password, they can reduce the risk of compromise via credential stuffing considerably. Though end users may find the approach inconvenient, it is the most effective method of foiling credential stuffing.
While credential stuffing is on the rise, organizations do have defenses they can and should bring to bear to protect their networks, their assets, and their credibility.
Coranet is a certified Woman-Owned Information Technology Organization that has been meeting the requirements of Enterprise and Government entities for over 30 years. Network Engineering and Technical Support is part of our foundation and we continue this proud tradition with a 360-degree approach to technology solutions and services in the areas of Audio Visual, Network & Physical Security, IT Infrastructure, and Consulting/Project Management. Coranet is ISO 9001 registered, Lean Six Sigma and WBENC certified.
Please contact us at Sales@coranet.com for more information