Credential stuffing is a type of cyber-attack where cyber-criminals steal login credentials from one system and try to use them to gain access to user accounts on another. This is only possible because people have a tendency to re-use login credentials on multiple websites and applications.
Credential stuffing is becoming increasingly more popular, largely due to how simple and effective it is. In fact, there are software programs that novice hackers can use which will try to login to hundreds of websites and online services using a list of credentials. Such attacks can be very costly to businesses. According to The Cost Of Credential Stuffing Report by the Ponemon Institute, “companies experience an average of 12.7 credential stuffing attacks each month”, and the average annual cost of a credential stuffing attack is $6 million. Costs are calculated based on “application downtime, loss of customers and involvement of IT security”.
Akamai Technologies – a US-based cloud service provider – recorded nearly 30 billion credential stuffing attacks in 2018. Many businesses and popular online services have fallen victim to credential stuffing attacks, some of which include Intuit, Dunkin’ Donuts, HSBC, Reddit, DailyMotion, Deliveroo and Basecamp.
How to Protect Your Business from Credential Stuffing
According to The 2019 State of Password and Authentication Security Behaviors Report, 51% of respondents reuse their passwords across business and personal accounts. 55% of respondents don’t use 2FA at work, and 69% admitted to sharing passwords with colleagues. Looking at these statistics, it is clear what kind of improvements need to be made. Below are some basic tips to prevent these attacks from being successful:
1. Have a strong password policy
This may be obvious, but it needs to be said none-the-less. Make sure that you have a strong password policy in place, and that all employees are adhering to it. A strong password is typically one that includes a mix of letters, numbers and symbols – both uppercase and lowercase, and at least 15 characters in length. Employees should never share their passwords!
2. Encourage employees to use a password manager
Naturally, if your employees are using the same credentials for every online service they use, the chances of a data breach are much higher. In this day and age, everybody should be using a password manager, such as LastPass, 1Password, or Bitwarden. A password manager will store login credentials for various online services in an encrypted vault – protected by a master password. Password managers can also generate strong/unique passwords, which help to ensure that your employees are not reusing them across multiple services.
3. Use two-factor authentication where possible
Businesses are often concerned about the costs and complexities associated with implementing 2FA, hence why it has been relatively slow to catch on. However, 2FA solutions are becoming simpler and more affordable by the year and will likely save businesses time and money in the long-run.
4. Rotate your passwords
Although Microsoft no longer recommends forcing periodic password changes, it doesn’t mean that it is a bad idea. In fact, many industry professionals still recommend it. Providing your employees are using a password manager to generate and store strong and unique passwords, periodic password changes will help to protect against Advanced Persistent Threats (ATPs). Additionally, to simplify the process, there are tools available which can automate the process of reminding users to reset their passwords.
5. Use threshold alerting to detect failed login attempts
It is a simple but effective technique for identifying and reacting to potential threats and anomalies that match a pre-defined threshold condition. For example, if x number of failed login attempts are detected within a given timeframe, a custom script can be executed to stop the attack in its tracks. The script could temporarily disable the login functionality, change the firewall settings, or even shut down the server. Threshold alerting is feature that is built-in to the Lepide Data Security Platform.
For more information on the Lepide Data Security Platform, schedule a demo with one of our engineers today.