Credential stuffing in the spotlight: Whose fault? Whose responsibility?

Credential stuffing is all over the news at the moment. We explain what it is and look into why it is causing a rift between service providers and users, and we ask the all-important question, “Who should bear the cost?

Cybersecurity is awash with jargon, and some of it is troublesome because it is ambiguous, or poorly-chosen, or just plain wrong.

An excellent example is the phrase password rotation, which is widely used by sysdamins and cybersecurity practitioners who should know better, and even by experts who do know better but are happy to stick with the crowd.

What they really mean is ‘changing your passwords to something completely new’, not any sort of rotation at all, which implies a regular and repeating cycle in which old passwords eventually return, like the time on a clock face.

Another fascinating example of cybersecurity jargon is the commonly used phrase credential stuffing, which can quite reasonably be interpreted in several different ways.

Firstly, the word ‘credentials’ is used by computer scientists to refer to many digital identifiers, including passwords, cryptographic keys, one-time login codes, and more.

Secondly, the verb ‘stuffing’ is often associating with ‘cramming full, perhaps even to overflowing’, so you might expect that credential stuffing refers to an attempt to crash a computer or an online service right at the first login prompt by sending more data than the programmer expected, in an attack known as a buffer overflow.

You might also associate ‘stuffing’ with putting lots of different items into the same input field in turn, in the same way that you talk about individual diners ‘stuffing themselves with food’ at a multi-course banquet.

This could take the form of a dictionary attack, where criminals try millions of likely passwords in sequence, starting with aardvark, anxiety, axiomatic… and ending with …Zambia, zombie, zymurgy.

Or it could refer to an even more extreme sort of cracking attack known as brute force, where the crooks try every possible combination, no matter how unlikely, running from AAAAA, AAAAB, AAAAC… all the way to …ZZZZX, ZZZZY, ZZZZZ.

The everyday definition

Most of the time you see the words ‘credential stuffing’, the word ‘credential’ simply means password, and the word ‘stuffing’ means that the crooks try the same password on every account of yours they can think of.

They aren’t trying to crash the authentication process by overstuffing a memory buffer; instead they are aiming to authenticate officially in the simplest and most genuine-looking way they can.

And they aren’t looking to stuff millions of passwords into the login prompt of one account to guess their way in; instead they are taking a password that works on one account and seeing if it unlocks your other accounts as well.

One of the reasons (or more precisely two simultaneous reasons) why we hear a lot about credential stuffing in the media is that it is incredibly simple to implement, and yet still surprisingly effective.

This sort of ‘password repetition’ attack is a low-tech approach that doesn’t require millions of consecutive network packets aimed at a single account (which might stand out, or get slowed down, or automatically blocked altogether), and it doesn’t depend on victims choosing passwords that are easy to guess.

Indeed, some users seem to think that they can stay ahead of the crooks simply by not using an obvious password, so they carefully memorise just one super-complex sequence of characters, and then use it on every account.

The problem with this, of course, is that if any one of the online services you use should leak your one-size-fits all password, whether through poor programming, weak security controls, corrupt internal staff, or insurmountable pressure from morally bankrupt authorities…

…then that service just gave away your digital master key, thus indirectly compromising of all your accounts in one go.

Credential stuffing as subterfuge

Simply put, the crooks try exactly one highly probable password just once against each account, instead of very suspiciously trying 1,000,000 different possible passwords against each of your accounts in turn.

It doesn’t matter how they got hold of that initial master-key password, and they might not have needed any technical skills to do so.

They may simply have bought it on the cyberunderground from an online stolen password merchant, known in the trade as an IAB, or initial access broker; they many have stumbled across it in a stolen logfile; or they may have acquired it via zombie malware on your own computer that snooped on your keystrokes as you were typing.

The most obvious way to avoid this risk is to make sure you have a different password for every account, and you’ve probably seen warnings along those lines hundreds of times in recent years in advice that usually boils down to, “Don’t re-use passwords.”

Not our fault, so it must be yours

But you’ve probably also seen articles with the words ‘credential stuffing’ in a slightly different context, namely when a vendor or service provider is certain that it hasn’t itself suffered a breach and wants to reassure the world in the face of widespread reports of its users suffering account takeovers.

“It’s not our fault,” the vendor will understandably want to say. “Our site doesn’t have a cybersecurity hole (that we know of, anyway), and we have not been breached (at least according to the evidence we chose to collect). It’s all down to credential stuffing, based on passwords that were not stolen from us.”

What they’re implicitly saying, of course, is, “Don’t blame us. It’s your own fault. You shouldn’t have re-used the same password on multiple sites.”

And that raises three uncomfortable questions.

Whose fault is it? Whose responsibility is it? And who should pay to fix it?

What to do?

Four partial solutions spring immediately to mind:

• Two-factor authentication (2FA) can help. That’s where you need to put in a one-time code, typically sent by text message or generated by an app on your phone, as well as your password, so that your password is not enough on its own for anyone to log into your account.

• Password managers can help. These apps keep a database of all your passwords, automatically generating random, different, complicated passwords for each account and therefore discouraging or even preventing password re-use.

• Passkeys can help. These are secure cryptographic devices, typically in the form of a USB key (or perhaps an app on a modern mobile phone) that takes care of the authentication process using secure hardware-based storage that can’t be cloned or copied. (Your mobile phone SIM card, if you still have one, is one example of a dedicated security device of this sort.)

• Having fewer accounts can help. If you actively shut down accounts you aren’t using, instead of letting them lie dormant, there are fewer avenues for compromise of your digital identity, no matter what sort of authentication you use.

So, who needs to do what?

Vendors need to wear the cost of making 2FA available on the accounts they provide, but we users need to be willing to accept the modest inconvenience of using it.

Password managers remain a personal choice, so they aren’t something that vendors can require us to use. They also introduce the risk that you really do end up with one master-key to all your accounts, and it’s hard to know just how much you can trust the makers of these apps, given how critical they become to the security of your digital identity.

Passkeys are another solution that vendors have to wear the cost of supporting, but that we users need to buy and set up for ourselves (fortunately, one hardware passkey can typically support numerous accounts). As with 2FA, we need to tolerate the mild inconvenience of using them, and to accept that we must carry the passkey with us all the time.

The last suggestion above, about keeping fewer accounts overall, is clearly something that we users can strongly influence, but it is also the one suggestion where vendors visibly need to take the primary role.

Fewer accounts that are easier to shut down

As a digital society, we desperately need to throw out the behaviour enforced by many vendors these days, namely demanding that we create an account, including setting up a username and a password, and supplying all sort of personal data, before we can interact with them at all.

Even if our intention is just to browse, or to purchase a single item, or to interact with a vendor just once, many sites firmly insist that we create an account, and glibly assume that we will.

We need to become a digital society where humans come first.

When we users decide we that don’t want an online account anymore, there must be a simple and reliable way to get rid of it, and details of how to shut down the account must be very clearly explained before we create it in the first place.

Having said all that, we do need to go back to basics.

DON’T RE-USE PASSWORDS!

There is no such thing as an ‘unimportant account’ or a ‘don’t care’ online service, because it’s your own good name that is at risk if the account gets taken over, whether your money is at stake or not.

PS. If there are any knotty topics you’re keen to see us cover, from malware analysis and exploit explanation all the way to cryptographic correctness and secure coding, please let us know. DM us on social media, or email the writing team directly at amos@solcyber.com.

More About Duck

Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!