Imagine someone found your house keys and tried to open every door in your street. This is similar to how cybercriminals use compromised credentials and password attacks to access business accounts.
Password spraying and credential stuffing are two tactics that cybercriminals use to break into systems and perform account takeovers. Understanding how they work can help you to strengthen your defenses.
Successful attacks can be highly damaging for businesses. They can lead to losses from theft, incident response costs, reputational damage, and loss of customer trust. Failing to safeguard customer data also brings the risk of regulatory penalties under rules such as GDPR or HIPAA.
What is password spraying?
Password spraying means using a small set of common passwords against many user accounts. The attackers start by compiling a short list of common passwords, like Password123 or Welcome. They test the passwords against a long list of potential usernames.
The attackers often target enterprise systems. For example, VPNs, Citrix gateways, Entra ID tenants, and Active Directory accounts. They use automated tools, such as Hydra or SharpSpray, to expedite the process.
Crucially, they work slowly. Rather than bombarding accounts with repeated, rapid-fire login attempts, they spread the attempts across multiple accounts and leave longer intervals between them. This avoids triggering account lockouts. They also use botnets and proxy services to evade detection.
What is credential stuffing?
In credential stuffing, attackers attempt to log into accounts and systems using combinations of compromised usernames and passwords.
Unlike brute force attacks, which involve attackers guessing passwords, credential stuffing uses real data leaked in past breaches. The attackers buy stolen credentials online in underground forums and marketplaces.
Sometimes, credentials are sold as consolidated combolists. For example, Collection #1, discovered in 2019, contained more than 2 billion pairs of usernames and passwords from thousands of breaches.
With massive volumes of data to work with, the attackers use automated tools, such as Sentry MBA. They try thousands of compromised credential pairs against the target systems. Even a small success rate is enough.
Many people reuse the same passwords across multiple accounts. This means attackers can potentially break into your organization using credentials leaked from other companies.
Key differences between password spraying and credential stuffing
The following table summarizes how password spraying and credential stuffing work, and the differences between them:
Identification and defense techniques for companies
To protect against password spraying and credential stuffing:
- Define your password policy: Ensure everyone in your organization uses strong, unique passwords that they update regularly and keep secure using a password manager tool.
- Ban weak passwords: Solutions such as Microsoft Azure allow you to ban weak or easily guessed passwords like Password123 across your entire domain.
- Conduct penetration testing: Run simulated attacks to identify weak passwords in use. This helps you to refine your password policies, and guide users to make safer choices.
- Track volumes of login attempts: Unusually high numbers of failed login attempts are a warning sign that an attack could be underway. Monitor your number of login attempts and configure automated lockouts.
- Use IP blocklisting and device fingerprinting: IP blocklisting can block known threat actors from attempting to access your accounts. Device fingerprinting can identify devices attempting to connect and help you to ensure that they’re your legitimate users.
- Move beyond password-based security: Deploy multi-factor authentication across all your systems, and implement alternatives to passwords, such as biometric authentication.
- Use a cyber threat intelligence (CTI) and credential monitoring solution: Solutions such as Cybercheck continuously monitor for exposed credentials and personal data. If cybercriminals are trading information about you or your organization, we alert you immediately. That means you can proactively change your credentials and update your passwords before attackers exploit them. This is an effective defense against credential stuffing, allowing you to stop attacks before they happen.
