What is Credential Stuffing? And How to Defend Against It

Credential Stuffing

While credential-stuffing attacks are nothing new, they have been on the rise in recent years. For example, security researchers detected 193 billion credential-stuffing attacks worldwide in 2020, and 3.4 billion of these were in the financial sector. That’s a surge of more than 45% from the year before. And more recently, the first quarter of 2022 saw so many credential-stuffing attacks that the traffic from these attacks surpassed legitimate login attempts in some countries.

With the spike in these attacks, organizations are under pressure to develop solutions to tighten their network access control and keep cybercriminals at bay. Luckily, several security solutions can eliminate these attacks, namely passwordless authentication methods like certificate-based authentication. With this in mind, let’s explore everything you need to know about credential-stuffing attacks and how to prevent them.

What is Credential Stuffing?

Credential stuffing is a type of cyberattack wherein attackers utilize large sets of stolen username-password pairs to gain unauthorized access to user accounts. Central to this strategy is “password recycling,” where users reuse the same passwords across multiple online platforms.

In a typical scenario, cybercriminals might procure credentials leaked from one breach and then attempt to use these credentials on other sites, banking on the tendency of users to repeat passwords. For example, if a hacker obtains login details from a compromised e-commerce site, they might try those same details on popular email or social media platforms. If the user has recycled their password, the attacker can gain entry, potentially compromising more sensitive information.

Credential stuffing works because password recycling is rampant. For example, one study found that 72% of people reuse passwords in their personal life, while nearly 50% of employees simply add a character or digit to their password when a forced reset rolls around. And another worrying study found that 25% of employees use the same password across all logins.

Why Are Credential Stuffing Attacks Increasing?

The alarming increase in credential stuffing attacks is directly linked to the escalating number of high-profile and low-profile data breaches. While significant breaches capture media attention, countless smaller businesses suffer quietly, potentially compromising hundreds of records in each incident.

So, what’s fueling the growth of credential-stuffing attacks? The answer lies in the sheer abundance of stolen passwords. The underlying principle of a credential-stuffing attack is straightforward: the more stolen passwords hackers have in their arsenal, the more they can try to access other systems using those same credentials. These stolen passwords, typically a byproduct of data breaches, are frequently sold on the dark web.

This explosion in available username-password pairs offers a treasure trove for hackers, making it easier than ever to infiltrate various services and apps. The result? A vicious circle: data breaches lead to more stolen credentials, which spur more credential stuffing attacks, resulting in even more data breaches.

And the absence of modern security measures further exacerbates the situation. Multi-Factor Authentication (MFA) — an authentication method that requires users to provide two or more verification factors — is often neglected, making systems more vulnerable. Similarly, passwordless authentication methods, like certificate-based authentication, which uses digital certificates instead of traditional passwords, aren’t as widely adopted as they should be. These advanced security practices can add an extra layer of protection, making it much more challenging for hackers to gain unauthorized access.

Credential Stuffing Prevention – The Best Methods

In today’s evolving cyber landscape, the key to robust defense lies in multi-layered security.

Multi-Factor Authentication

Defined by its use of multiple verification methods — something you know (like a password), something you have (a security token or a phone), and something you are (biometric data like fingerprints or facial recognition) — MFA is a powerful adversary to credential stuffing. This is because even if a hacker obtains a user’s username and password, MFA still requires an additional verification step that the hacker will most likely be unable to bypass. It’s akin to a thief having the key to your house but still unable to get in without the alarm code.

It’s worth noting that while MFA can help prevent the majority of credential-stuffing attacks, it does have some limitations:

  • Phishing Attacks: Sophisticated phishing schemes can trick users into revealing their MFA credentials, like one-time codes.
  • Man-in-the-Middle Attacks: Cybercriminals can intercept MFA tokens in real time, allowing unauthorized access.
  • Account Recovery Loopholes: If MFA recovery processes are weak, hackers can bypass MFA by exploiting the password recovery mechanism.
  • SIM Swapping: By convincing telecom providers to switch a user’s phone number to a new SIM, attackers can hijack MFA tokens sent via SMS.
  • Social Engineering: Cybercriminals can use social engineering tactics manipulate customer service representatives or other personnel to bypass or reset MFA settings.
Secondary Passwords, PINs, and Security Questions

Besides the primary password, users can be prompted to provide an assortment of security information. This might be a PIN, select characters from an auxiliary password, or answers to personal security questions. Again, this provides an extra layer of protection that should stop a cybercriminal in their tracks.

Although layered, it’s essential to understand that secondary passwords, PINs, and security questions don’t count as MFA and still have limitations. For example, they suffer from the “same factor vulnerability,” where both primary and secondary passwords belong to the “something you know” category. Essentially, it lacks diverse authentication factors. Similarly, many users choose easily guessable information for their PINs or answers to security questions, like birthdates or a pet’s name.


CAPTCHA is a popular deterrent for automated login attempts, a backbone of credential stuffing. By making users solve a CAPTCHA, you can slow the onslaught of bots, putting a dent in their attack momentum.

However, CAPTCHAs aren’t perfect. Advanced tools can decipher them. And they’re also poor from a usability perspective – users become frustrated at solving CAPTCHAs and see it as an annoying waste of time.

Device Fingerprinting

Device fingerprinting is a technique that captures specific attributes of a user’s device, such as the browser type, version, screen resolution, and even more granular details like the set of installed fonts. By building a unique profile for each device, organizations can employ network access control mechanisms to determine whether a login attempt is coming from a recognized or unfamiliar device.

Device fingerprinting adds an extra layer of security against credential-stuffing attacks. If an attacker attempts to gain unauthorized access from an unrecognized device, the network access control can trigger additional authentication requirements or block the access attempt outright. This proactive approach makes credential stuffing significantly more challenging for cybercriminals.

Certificate-Based Authentication

Certificate-based authentication is paving the way for a more secure online realm, especially as data breaches soar. It’s a type of passwordless authentication, which, as the name implies, is a method of verifying users without requiring them to enter a password.

Certificate-Based authentication uses digital certificates to verify a user’s or device’s identity. This is much like showing an ID card in a digital context. Here’s how it works:

  1. The user or device holds a private key and a corresponding digital certificate.
  2. When trying to authenticate, the user or device shows the digital certificate to the server.
  3. The server then sends a challenge to the client, asking it to prove it has the private key.
  4. The client signs the challenge using its private key.
  5. Using the public key from the certificate, the server checks the client’s signature, confirming the client has the matching private key and authenticating it.

As data breaches rise, more companies are pivoting to certificate-based methods. Why? Traditional tools like CAPTCHAs and even Multi-Factor Authentication (MFA) can still be susceptible to attacks. However, stealing a digital certificate is notably harder than guessing a password or tricking a CAPTCHA system.

As we touched on above, while other methods can significantly enhance security, they’re not infallible. Attackers have found ways around SMS codes or can exploit weak secondary questions. On the other hand, certificate-based authentication ties the authentication to a unique digital certificate – not something easily replicated or stolen.

Benefits of Certificate-Based Authentication:
  • Enhanced Security: Digital certificates are more challenging to compromise than traditional passwords. They employ cryptographic techniques, ensuring a higher level of security and complexity compared to easily guessable or hackable traditional passwords.
  • Reduced Friction: Users don’t need to remember or change passwords periodically. Periodic password changes tend to lead to insecure human behavior, like altering previous passwords by one digit.
  • Scalability: Easily deployed across large enterprises without the hassle of managing numerous passwords.
  • Resistance to Phishing: No passwords to steal means phishing attempts are less likely to succeed.
  • Cost-Effective: Reduces the overhead of password reset requests and support related to password issues.

Final Thoughts

Credential stuffing attacks, while not a new threat, have seen a sharp rise in recent years, and this upward trend shows no signs of abating. In fact, with more and more stolen credentials making their way onto the dark web, we can expect credential-stuffing attacks to become even more prevalent in the coming years.

As a result, the need for robust security measures and stringent network access control is greater than ever. Among the available defenses, certificate-based authentication stands out as the best solution, offering unparalleled security against the ever-evolving menace of credential stuffing.

Try Portnox Cloud for Free Today

Gain access to all of Portnox's powerful zero trust access control free capabilities for 30 days!