Home
Blog
Credential stuffing: How to sidestep the crooks

Credential stuffing: How to sidestep the crooks

Paul Ducklin
Paul Ducklin
07/17/2024
Share this article:

Earlier this year, we looked at a cybercriminal attack method known in the jargon as credential stuffing, which was was showing up again and again in cybersecurity news stories.

Here, we’re visiting this simple but effective attack once more, this time in a bit more detail, with some additional tips in the What to do? section at the end.

Choose your keys

Banks with safe deposit vaults don’t set them up so that every box gets the same key, for obvious reasons.

Likewise, if you had safe deposit boxes at two completely different banks, you’d be surprised if their keys turned out to be identical.

But when it comes to online accounts, some of which we use for storing secrets as important as the documents we keep in deposit boxes, we’re not always so careful.

Ironically, this happens even though we almost always get to choose our own access codes for online accounts.

In contrast, safe deposit keys are chosen and issued by the bank that’s providing you the service, and you can’t easily judge the reliability of the process they follow when issuing new keys.

As it happens, even though it’s unlikely, two safe deposit keys of yours could match, at least in theory.

There are only so many manufacturers of safe deposit boxes, only so many different sorts of lock, and only so many different physical key configurations for each lock.

For example, a lock with six levers, each of which can be set to open at five different positions (these correspond to the depth of the cut into the key at that point) has just 56 = 15625 different keys.

Even a seven-lever, seven-depth lock has a maximum of 77 = 823,543 different possible key shapes.

Credential stuffing: How to sidestep the crooks - SolCyber

Don’t let your safe deposit keys get into photographs. The profile of the key determines the setting, or depth, of each lever inside the lock, which can easily be worked out by superimposing a grid over a picture of the key, as depicted above, allowing a duplicate to be made.

How safe is safe enough?

In contrast, even an eight-character password consisting of upper-case letters only (A-Z) has 268 = 208,827,064,576 different possibilities, which is more than 200 billion, assuming you choose randomly instead of picking PASSWORD because it’s easy to remember.

With that many combinations, it feels as though you should be safe against any attacker guessing the password to any account, even though many websites will refuse to accept basic eight-letter passwords these days on the grounds that they aren’t complicated enough.

If you try a bit harder by choosing from upper-case letters, lower-case letters and digits (A-Za-z0-9), and using 14-character passwords, you ramp up to a whopping 6214 combinations, which is 1.25 septillion, or about 284, which is an 84-bit binary number.

Even if you take into account the fascinating Birthday Paradox that we studied recently, you have only a minuscule risk of ending up with two accounts having the same password.

The Birthday Paradox shows that picking randomly from a set of N choices results in a so-called collision – an unexpected duplicate choice – very much more readily than most people first think.

In the case of matched birthdays, where there are 365 different choices (for computational convenience, we ignored those rare folks born on 29 February), we found that a shared birthday was more than 50% likely in room of just 23 people, and 99% certain in a meeting with 57 people present.

That 50-50 cutover point doesn’t arrive when you pass half the number of choices (N/2), which would be 183 in the case of the set of possible birthdays or 283 in the case of our 14-character passwords, but at just over the square root of N (very close to 1.177√N, in fact), which feels worryingly counterintuitive at first.

Nevertheless, with 284 different possible passwords to choose from, you’d need to create more than 5 trillion accounts of your own before there was a better-than-50% chance of two accounts sharing a password, because 1.177√284 = 1.177 × 242, which is just over 5 trillion.

And even if some random pairs of your accounts had the same password, that wouldn’t be any real use to an attacker, because they wouldn’t know which two of the 5 trillion accounts they were, or the actual password they shared.

(If the crooks had a list of all your accounts and all your passwords, they could pinpoint the collisions, but those matches would then be of academic interest only, given that they’d know every password already.)

Theory versus practice

Surely, then, a randomly-chosen 14-character password should be more than safe enough against most, if not all, types of cyberattack?

In theory, yes.

But as the old saying goes (variously attributed to Yogi Berra, Richard Feynman and Albert Einstein, but probably coined by early American industrialist Benjamin Brewster), “In theory, theory and practice are the same. But in practice, they aren’t.”

Password size, it turns out, isn’t everything.

Judging a password just by its length isn’t sufficient, because length alone doesn’t make a password unpredictable.

By some accounts, for example, when Apple increased the shortest legal iPhone lock code length from four digits to six digits, the most common lock codes shifted from 1234 to 123456, and from 0000 to 000000.

The new codes were 50% longer, but just as obvious and easy to guess.

(Modern phone lock codes, like bank chip PINs, can safely be much shorter than regular passwords because they are handled in a tamperproof chip that will unavoidably wipe itself after a small, fixed number of failed attempts. But online passwords can’t provide this sort of certainty, and therefore need to be complex enough to survive an essentially unlimited sequence of guesses.)

Quite how passcode surveys know what millions of people actually used as their phone lock codes is rarely explained, given that those codes are never transmitted over the internet and can’t easily be extracted from the phone, if at all. So these ‘studies’ may simply reflect the fake answers that people came up with when asked a question that didn’t deserve a valid answer. But the examples nevertheless reflect the problem of relying on what humans think of as ‘extra complexity’.

Patterns reduce complexity

Passwords don’t become significantly more difficult to guess as they get longer if they follow some sort of algorithm or pattern, or if they are selected from a predictable set of known choices.

Attackers are unlikely to try the password ENTOMOLOGICAL before they try PASSWORD, or even before they try obvious variants such as PA55WORD or Pas55word!, but both words appear in even the most basic online dictionaries.

As a result, ENTOMOLOGICAL is almost certain to be tried out by an automated password cracker long before the shorter but less likely JHDPO6VZ.

Fortunately, most online services these days impose what’s known as rate limiting to stop attackers from guessing at a single user’s password over and over again rapidly, which limits the reach of so-called dictionary or guessing attacks.

Unfortunately, rate limiting only works if there is no way to test a password other than by interacting with a website’s official login page, where such limiting can be enforced.

If a website maintains a database of passwords, even if they’re cryptographically scrambled to prevent the original password data from simply being read out in plaintext form, and that database gets stolen in a breach…

…then attackers can test their password guesses against the stolen database directly, using program code of their own choice, without any limit on the speed or quantity of their tries.

They can also harness any number of processors or computers at the same time, to try out thousands or millions of different passwords in parallel.

Fortunately, well-managed password databases take precautions that increase the time needed to test each password, which slows down regular online logins slightly but not enough to be inconvenient (an extra second to verify your password every time you login makes little difference to usability), while at the same time making automated password guessing programs too slow to be useful.

In short, if you will pardon the play on words, online passwords should not only be as long as you can conveniently tolerate, but also be as unpredictable as you can make them.

This helps to ensure that they can’t easily be figured out from personal information on your social media pages, guessed from your favourite songs, or found even in the most extensive word lists.

Ideally, you’ll use some sort of random password generator, such as a password manager application, that can come up with long, pseudorandom concoctions such as DgCQCt5W6nx+RWXn as easily as you can think of BESTNOTTOUSETHIS, and can remember a different password for every service you use.

One long doesn’t equal two short

Password managers, however, come with challenges of their own.

Firstly, you need to find one you trust, given that it may end up holding all the keys to all your online castles.

Secondly, you need to learn how to install and use it on all the devices from which you might access your accounts, and how to keep your own password database safely and securely consistent across those devices.

Thirdly, you need to come up with a master password of your own that you can remember, so you can unlock the password manager itself to give it access to the rest of your passwords.

But if you’re going to the trouble of inventing a memorable but hard-to-guess password or passphrase of your own anyway, which could be a random choice of four different words, such as backstory­octopus­airplane­Baltimore, or a coded phrase such as I simply wasn't yet ready to commit to a password manager for everything that you translate mentally into ISw'tyR2c2aPM4e

…well, why not simply commit that password to memory and then use it for everything?

The problem, of course, is a cyberattack known by the vaguely confusing name of credential stuffing, where ‘credential’ is really just a fancy way of saying ‘password’.

At first reading, credential stuffing sounds very much like a guessing attack, or even what’s known as a brute force attack, where cybercriminals aim to try every possible password if the range is known in advance.

(A brute force attack is rather like trying to open a bicycle combination lock by spinning the dials through every combination from 0-0-0 to 9-9-9 in sequence until it pops open at the right number.)

But the jargon term credential stuffing refers to an attack based on breadth, not on depth.

If the crooks find out any one of your passwords, they will typically try that same password on every online account that they think belongs to you, just as soon as they can.

That way, if you have re-used that password on a second site or service, the attackers immediately compromise two accounts for the price of one, without running up against any rate limits.

In practice, the crooks may try multiple similar or related passwords on each account, thus mounting a mini-dictionary attack of sorts, such as adding sequence numbers or account abbreviations if they suspect you might have varied the master password slightly for each account.

For example, if they get hold of your Facebook password and notice that it is rAnDomT3xt-fb, then rAnDomT3xt-gm would be a good guess for your Google password.

After all, if the text -fb is a mnemonic that you added for Facebook, then -gm makes a likely choice for Gmail.

Simply put, in a password stuffing attack, the criminals don’t stuff lots of different passwords into a single login form in the hope that they can figure out your password for that account.

They stuff a single password from one account into as many other login forms as they can think of, in the hope that they can quickly find a way into other accounts at the same time.

Size isn’t anything

In an attack like this, size definitely isn’t everything.

In fact, size isn’t anything, given that the crooks probably didn’t acquire your password by cracking it, or by trying billions of choices over many months of determined attacking.

They could have got hold of that known-good password in its full and final form, regardless of its length and complexity, in many different ways, including:

  • From a data breach at one of the sites you use. Even on websites that go out of their way to keep their password databases in a hard-to-crack form, passwords may get saved into logfiles by mistake, or grabbed directly out of memory on servers infected with malicious code. So-called RAM scraping malware aims to find passwords in memory during the brief instant they are processed during login. Sadly, there is no way of being certain just how securely each site looks after your login data, and even data-gathering behemoths such as Google and Facebook have made plaintext password-logging blunders in the past.
  • Using keylogging malware implanted on your computer. Keyloggers monitor what you type in the hope of capturing your passwords. Keyloggers often watch for additional tell-tales such as on-screen window titles, program names and active website URLs that give away when you are most likely to be logging in, thus automatically homing in on the text most likely to constitute a typed-in password.
  • From a compromised kiosk computer you used in an emergency while on vacation. If you’re in a hurry and need to access an important email or to print out an airline boarding card, you may end up using a shared computer provided at a hotel or in an airport lounge. These computers are often insecure, and are subject to potential tampering or misuse by thousands of previous travellers.
  • By bribing a “friend” or colleague of yours who just happens to know the password. You may have shared a password, even a complex one, with a friend or colleague whom you thought you could trust. The problem with shared passwords, as Benjamin Franklin rather crudely put it, is that “three may keep a secret, if two of them are dead.”
  • By luring you to a phishing site where you entered the right password into the wrong form. Fake login pages, often on websites that are almost perfect visual copies of the real thing, are still a dangerously effective way for criminals to acquire not only full passwords, no matter how long and complex, but also any MFA (multi-factor authentication) codes needed as well.
  • By spotting you typing in that password while you are out-and-about. Although so-called shoulder surfing isn’t a primary way for crooks to steal passwords, attackers don’t need to choose you as a target in advance. Even a complex password can be recovered from an opportunistic video recording made with an innocent-looking mobile phone.
  • By unlawfully acquiring CCTV footage from somewhere you used that password. Ironically, if understandably, areas where you are likely to enter sensitive data, notably including your mobile phone unlock code or the PIN for your bank card when making payments, are also areas that will probably be under video surveillance. You have no way of knowing how securely that surveillance footage is handled by the business that collected it.

What to do?

Here are some practical, human-centric tips:

  • Never use the same password on more than one site. That way, poor security practices by one online service won’t automatically compromise your password on other sites.
  • Don’t ignore warnings from your endpoint security software about suspicious activity relating to memory, screen, or keyboard access.
  • Be aware of your surroundings when using your digital devices. You don’t need to become overly suspicious of everyone, but take note of locations where your typing could easily be recorded without you noticing, such as through windows, from behind your back, or via visible security cameras.
  • Shield your typing whenever necessary, or change your seat if you are using your laptop in an obviously exposed location. Always cover your typing hand with your other hand when entering your bank card PIN. (Hint. Most numeric keypads have a raised dot on the central 5 key, which helps you find the right digits even if you can’t see them.)
  • Avoid kiosk or shared computers if you can. You have no idea who has used them before you, or if malware has been implanted onto the computer, whether by accident or design.
  • Use MFA (one-time login codes) for services that support them. One-time MFA codes such as those generated by your phone can easily be stolen in a phishing attack, so they aren’t a perfect solution, but they do make a stolen password much less useful on its own.
  • Consider using so-called passwordless logins for services that support them. You may be able to use your mobile phone as a secure device to enable this sort of login, or you may choose to purchase a third-party solution such as a Yubikey that can take care of the cryptographic part of the process.
  • Be especially careful with your email password. Even if you prefer instant messaging services for keeping in touch, your email account will often be the ‘recovery vehicle’ for accounts you are locked out of, or for security confirmations when you want to change passwords on other accounts. Cybercriminals therefore prize email access very highly, given that it may be a fast way into many or most of your other accounts.
  • Don’t tell other people your passwords, no matter how much you trust them. You may want to set up a recovery process for your prized accounts so your next-of-kin can access them if something terrible happens to you, but try to avoid simply telling them your current passwords. Anyone who uses your personal password automatically shows up as if they were you in any security logs. This makes fraudulent access to your account harder to detect and prevent.

A small but reasonable amount of password caution goes a long way!


Why not ask how SolCyber can help you do cybersecurity in the most human-friendly way? Don’t get stuck behind an ever-expanding convoy of security tools that leave you at the whim of policies and procedures that are dictated by the tools, even though they don’t suit your IT team, your colleagues, or your customers!

Credential stuffing: How to sidestep the crooks - SolCyber

More About Duck

Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!

Featured image of safe deposit boxes by Tim Evans via Unsplash.

Paul Ducklin
Paul Ducklin
07/17/2024
Share this article:

Table of contents:

The world doesn’t need another traditional MSSP 
or MDR or XDR.

What it requires is practicality and reason.

Related articles

Businesses don’t need more security tools; they need transparent, human-managed cybersecurity and a trusted partner who ensures nothing is hidden.

It’s time to move beyond the inadequacies of current managed services and experience true security management.
No more paying for useless bells and whistles.
No more time wasted on endless security alerts.
No more dealing with poor automated services.
No more services that only detect but don’t respond.
No more breaches caused by all of the above.

Follow us!

Subscribe

Join our newsletter to stay up to date on features and releases.

By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.

CONTACT
©
2024
SolCyber. All rights reserved
|
Made with
by
Jason Pittock

I am interested in
SolCyber XDR++™

I am interested in
SolCyber MDR++™

I am interested in
SolCyber Extended Coverage™

I am interested in
SolCyber Foundational Coverage™

I am interested in a
Free Demo

8703