Protecting yourself against credential stuffing

In this post, we'll talk about protecting yourself against credential stuffing by using password managers and MFA. Plus, OWASP, their Top 10 list, and web application security.

Get started with ACG and transform your career with courses and real hands-on labs in AWS, Microsoft Azure, Google Cloud, and beyond.

We've all seen it. It feels like every week there's a news story about credentials or personally identifiable information being leaked.

In response to these attacks, organizations have implemented a variety of security measures, including Web Application Firewalls (WAF) to block attacks and large Security Operations teams to monitor for attacks. Although these measures are great defensive measures against web application attacks, many end user credentials are still being compromised and unauthorized user account access continues to be an issue.

So, the question remains: How can end users better protect themselves even after their credentials are stolen?

Let's take a look at the attacks that cause web application credential compromises and the ways you (the end user) can protect yourself against them.

The practice of credential stuffing is a technique used by hackers to take over legitimate user accounts by using stolen credentials.

This attack basically consists of obtaining stolen credentials, typically from criminal sources or a recent breach, and attempting to login with the stolen credentials on a range of websites. This automated attack is so successful because people often reuse the same credentials for multiple websites.

Watch: Securing Your AWS Environment
In this free, on-demand webinar, cloud security specialist Don Magee gives a breakdown of taking complex AWS environments from zero to secure.

The obvious solution is to use different passwords for every website . . . but remembering all those passwords is a challenging task. However, there is a solution called a “password manager” that stores all your passwords in an encrypted vault.

This vault can be accessed to retrieve passwords in a quick and easy fashion while protecting you from password reuse.

Password managers effectively lowers the risk of credential stuffing so that one compromised website account does not lead to other accounts being compromised with stolen credentials.

In addition to password managers, many websites now offer the use of Multi-Factor Authentication (MFA). This means that users must authenticate using two forms of authentication in order to log into their user account.

• The first form of authentication is “something you know” which is often a username and password.
• The second form of authentication is typically a SMS text message which is considered to be “something you have” since you have to have physical access to a mobile device in order to receive the second form of authentication.
• “Something you are,” would be a biometric form of authentication like a fingerprint or facial scan.

Using MFA reduces the likelihood of account compromise since a remote hacker is highly unlikely to have access to the mobile device or fingerprint required for authentication.

With these solutions users are able to better secure their online accounts and prevent unauthorized access to those accounts. However, this is only the tip of the iceberg in terms of web application security (or web app sec).

The Open Web Application Security Project (OWASP) is a non-profit foundation dedicated to researching the topic of web application security issues and leading projects that address these issues.

The OWASP Top 10 project covers some of the most important security risks related to web applications and gives an in-depth analysis on attacks like cross-site scripting and injection. These attacks are leveraged by hackers to compromise web application databases and obtain user credentials for the credential stuffing attacks we discussed. 

Want a better understanding of web application security? Whether you're interested in learning how hackers perform these attacks, or want to learn more about defending against these attacks, our Introduction to OWASP Top 10 Security Risks course addresses both aspects. There's also a hands-on lab to practice web application hacking and take your skills to the next level.

Join A Cloud Guru and get access to all of our courses, labs, quizzes, and learning paths that take you step-by-step from novice to guru in your chosen area of the cloud. Start a free trial or check out this month's free cloud training.

You can also subscribe to A Cloud Guru on YouTube for weekly cloud news, like us on Facebook, follow us on Twitter, and join the conversation on Discord.