Skip to main content
Passportal Insights

What Is Credential Stuffing and How Do You Prevent It?

By Passportal Blogger

In their effort to protect their customers from a range of modern threats, managed services providers (MSPs) may encounter a strategy known as credential stuffing. This hacking technique involves rapidly inserting large numbers of usernames and passwords—often collected from corporate data breaches—into the login fields of other sites and digital services. 

While the success rates for credential stuffing may seem low on paper—RSA reports they average between 0.5 and 3%—it requires that hackers have access to massive volumes of credentials, which may include credit card numbers, data that could be exploited as part of a phishing scheme, and other forms of profitable data. Even if only a few credentials provide access to other accounts, the effort is often worthwhile for hackers. According to the FBI, credential stuffing has even been responsible for a large number of recent hacks carried out against banks and other financial institutions.

Credential stuffing has been used successfully by hackers throughout the past decade, as massive data breaches from popular sites like Dropbox, LinkedIn, MySpace, and others have provided hackers with millions of username and password combinations. The increased success of these hacking campaigns in recent years is due in large part to what are known as Collections 1-5, which are massive troves of login credentials aggregated from multiple data breaches and thousands of sources. These are available in plaintext via torrent and are used by enterprising hackers to push their way into vulnerable accounts. Collection 1 alone contains 772.9 million unique email addresses and 21.2 million unique passwords

The findings of a recent study demonstrate why credential stuffing is so effective: 53% of the population uses the same password for multiple accounts. Almost two-thirds of that 53% use the same password for 3 to 7 accounts, and 10% use it for 10 or more accounts. To top it all off, a disappointing 44% of survey respondents admit to using their personal passwords for their work-related accounts. This password re-use (especially across corporate and personal accounts) presents a huge security risk for MSPs and their customers. 

The role of automation in credential stuffing attacks

Manually entering millions of username and password combinations is both time-consuming and error-prone, which is why hackers leverage the advantages of automation to make credential stuffing effective. 

One potential hurdle for attacks is that the vast majority of web services and applications include baked-in rate-limiting protections and deliberate time delays, and they will often ban IP addresses after a certain number of failed login attempts. These security measures help prevent credential stuffing campaigns from making an anomalously high number of login attempts from specific devices. 

However, advances in credential stuffing software may allow hackers to sidestep these security features. For example, botnets and proxy lists are often used to mask the attack. These bounce login requests across web servers, making it seem as though the hacking attempts are actually coming from multiple distinct IP addresses and devices—allowing hackers to slip through undetected. Botnets and proxy lists are also capable of tricking sites and web applications into registering the login requests as originating from different browsers rather than a single browser type, which many web services would flag as suspicious otherwise.

The goal of these tools is to mimic and blend in with a site’s usual login traffic—and they’re highly effective. Adopting security safeguards like multifactor authentication can help combat some of these issues, but advances in surveillance technologies have highlighted how singular countermeasures often fall short on their own.

How MSPs Can Help to Prevent Credential Stuffing

The best and simplest way to protect against credential stuffing attacks is to ensure that each end user has a unique password for each of their accounts. However, this approach can be difficult to fully implement and enforce without a network password manager or credential management system that requires end users to create unique passwords. This is where MSPs can play a significant role in establishing and maintaining password security best practices for their customers.

Password managers not only allow end users to easily create unique passwords for their accounts, they act as secure password repositories—meaning passwords can be incredibly complex because users don’t actually have to commit them to memory. Many password managers also include functionality to help users routinely update passwords to prevent them from going stale, and some will even alert users if any of their credentials appear in new public data dumps and automatically trigger password resets.

Additionally, built-in multifactor authentication adds another layer of security in the event that hackers do acquire passwords. While multi-factor authentication on its own is insufficient protection, it is a critical part of hardening the security of password managers. If a credential stuffing attack lands a successful result, an additional form of identity validation through a token or SMS can help prevent unauthorized access. 

The combination of a password management system with multi-factor authentication should prevent the vast majority of credential stuffing attacks from being successful. Still, on the off chance an attack does land, or if a customer has been the victim of fraudulent activity in the past, there are a couple of additional strategies that can help prevent a future breach. MSPs can help customer companies adopt a number of new methods to help shore up their security countermeasures—without interfering with or denying access to legitimate site activity.

One such technique is to identify which credentials have resulted in fraudulent activity, and blocklist the IP address connected with the login request. If this practice is maintained over time, it can wear down the efficacy of botnet- and proxy list-based attacks. Likewise, if your customers’ users or clients are in specific geographic localities, setting up geofences can help to block traffic from proxy servers outside the usual regions. While these strategies will not necessarily block credential stuffing attempts, they will make such attacks more difficult and expensive to carry out, thereby helping to keep your customers’ services and computing environments free of fraudulent activity and potential data breaches. 

Keeping your customers protected

Credential stuffing is incredibly difficult to stop and isn’t likely to go away anytime soon. MSPs need to provide customers with a multi-faceted approach to maintaining password integrity.

A powerful credential system like N-able Passportal provides your customers with industry standard encryption, intuitive password generation and storage, and even offers end users a seamless way to manage both their private and professional passwords from the same console. Passportal helps create strong and unique passwords, while also making it simple to audit end user compliance and track specific credentials.

Furthermore, while most credential stuffing attempts use credentials culled from large corporate data breaches, they are also increasingly being used in tandem with spear phishing attacks , which some reports show are responsible for more than 90% of successful cybercrimes. Providing customers with cybersecurity awareness training and robust email filtering solutions are therefore also key to maximizing security. Utilizing an encrypted documentation and credential management tool like N-able Passportal—along with a number of other tools in an integrated ecosystem—will help MSPs prevent credential stuffing and other forms of password-oriented cyberattacks.

Additional Resources:

Welcome to the Passportal Blog

Into cybersecurity? Read up on current trends in IT Services and ensure you’re up to speed on best practices on how to grow your business.

Want to stay up to date?

Get the latest N-able tips, tricks, and ideas sent to your inbox each week.

Loading form....

If the form does not load in a few seconds, it is probably because your browser is using Tracking Protection. This is either an Ad Blocker plug-in or your browser is in private mode. Please allow tracking on this page to request a subscription.

Note: Firefox users may see a shield icon to the left of the URL in the address bar. Click on this to disable tracking protection for this session/site

Automated password protection with documentation management integrated with the MSP tools you already use

Manage passwords with ease