Both credential stuffing and brute force attacks are two common types of cyberattacks with a similar objective: taking over control of accounts. This is why they are often categorized together as ‘account takeover’ or simply ATO attacks.
While there are similarities between the two, especially in their main objective, they work on different principles and utilize different techniques. So, defending against them will also require different approaches to each other.
Here, we will discuss the concepts of both attacks, their key difference, and we’ll also go over some important tips for the best ways to protect your network and data from both brute force and credential stuffing attacks.
What Is a Brute Force Attack?
A brute force attack, or also called ‘credential cracking’ attack is a type of cyber attack identified as OWASP OAT-007 by the Open Web Application Security Project (OWASP), and is a technique (or a group of techniques) used to identify valid credentials; commonly username-password pairs by trying all the possible values for the passwords and/or usernames.
For example, when it is a 4-digit numerical pin, a brute force attack will attempt login by trying 0000, 0001, and so on until 9999 or when it finally guesses the right PIN.
The underlying principle is fairly simple, and given an unlimited amount of retries and infinite time, theoretically, all brute force attacks will always succeed. This is why websites and apps limit the number of login attempts to slow down the attacker and block potential attackers from continuing their efforts.
The fewer characters included in the password and the less complex, the faster the attacker can ‘guess’ the password.
Brute force attacks can be performed manually by human attackers, but nowadays they are typically performed by bots performing automated attempts in rapid successions, often trying hundreds if not thousands of possibilities per minute.
In practice, brute force attacks can use various different techniques to improve their success rate and/or avoid the site’s/system’s security measures:
- Dictionary attack: the attacker uses a list of commonly used passwords like a ‘dictionary’ rather than trying all the possibilities of each digit/character.
- Hybrid: mixing the simple brute force attack with dictionary attacks. For example, if the password in the dictionary is ‘january11’, then it will try ‘january12’ on the next attempt.
- Reverse brute force attack: the hacker here tries to guess the username while using a commonly used password (i.e. 1234567890).
As we can see, brute force or credential cracking attacks rely on increasing probabilities of success: with enough attempts, they will succeed.
Hackers can be extremely patient in attempting brute force attacks. There are recorded cases when the attacker attempts only one password for one very valuable account each day to avoid suspicion. So, although the concept is fairly simple, defending against brute force attacks can be very complicated.
What Is a Credential Stuffing Attack?
A credential stuffing attack is identified by OWASP with the designation OWASP OAT-008.
Unlike a brute force attack, credential stuffing attempts a known valid credential to another account (i.e. another website). Stolen credentials as a result of data breaches are circulating all over the internet, a lot of them are being sold on the dark web, these credentials are used on various credential stuffing attacks.
Credential stuffing relies on a very common bad habit done by so many people: re-using the same password and username pairs on all their accounts. Thus, when one of their accounts is compromised (often outside their knowledge), all of their other accounts are also compromised.
Attackers typically use bots to try the stolen credentials in a lot of different websites simultaneously.
Defending Against Brute Force and Credential Stuffing Attacks
1. Identifying and managing Bot Activities
Since most brute force and credential stuffing attacks are performed by bots, we can effectively protect our account/system from both attacks by identifying and managing these bot activities.
We can use a credential stuffing mitigation solution that is capable of behavioral-based detection like DataDome to effectively detect the activities of malicious bots attempting account takeover attacks in real-time. DataDome is an advanced solution that uses AI and machine learning technologies to detect and manage bot traffic in real-time. Running on autopilot, DataDome will only notify you when there’s any malicious bot activity but you don’t have to do anything.
A good bot management solution should:
- Differentiate between good bots and bad bots
- Identify bots from legitimate human visitors
- Analyze the bot’s behavior and manage the traffic as needed
- Identify the fingerprints (IP address, browser used, OS used) and filter based on fingerprint reputation
- Challenge/test the boat via JavaScript injection, CAPTCHA, and other methods
- Throttle/rate-limit any bots that attempt repeated logins
2. Use Strong and Unique Passwords
If your password is sufficiently long and complex, you can significantly slow down the bot’s attempts in guessing your credentials via brute force attacks.
Ensure your password is at least 10 characters long and include a combination of numbers, symbols, uppercase letters, and lowercase letters. Also, use different passwords on different accounts to prevent credential stuffing attacks.
You can use various password manager solutions, a lot of them are free, to easily create and ‘remember’ totally unique and randomized passwords for all your accounts.
3. Multi-Factor Authentication
Using multi-factor authentication (MFA) or two-factor authentication is an additional layer of security against credential stuffing attacks and brute force attacks, so that even when your password is successfully cracked, the attacker won’t be able to access your account.
Essentially MFA is about asking for other information besides your password before you can access the account, that is:
- Something you are: your fingerprint, facial recognition, iris/retinal scanner, etc.
- Something you know: a second password, PIN, answer to a secret question, etc.
- Something you have: a USB dongle, a smartphone to pair with, etc.
You should activate MFA/2FA whenever possible, especially on accounts/systems that contain sensitive or regulated data.
Conclusion
While credential stuffing attacks and brute force attacks have the same objective, they actually use very different techniques to target different vulnerabilities. However, we can use fairly similar approaches to effectively prevent both of them: using strong and unique passwords, implement multi-factor authentication, and use the right bot management solution to successfully identify and manage malicious bot activities responsible for these account takeover attacks.