OWASP Automated Threats Explained - Credential Cracking | Credential Stuffing

December 29, 2016

Credential cracking and credential stuffing are two of the ways that hackers use bots to compromise your website security.

Credential cracking is an attack on the account login page of a website. Hackers start with a list of usernames, but no passwords. By dispatching their bot army, they use brute force to run a library of commonly known passwords with the list of usernames. If a login attempt is successful, the hacker changes the password and now owns the account, logging the real account holder out.

Even worse, those successfully cracked credentials are subsequently tested by the hacker manually against other sites on the internet. And because people reuse the same credentials across multiple sites, the hacker hijacks multiple accounts for one person. Joe must now contact all those other websites to unlock his accounts, which the company must handle courteously to prevent damaging the customer relationship.

When this technique of trying credentials on other sites is automated by bots, it is called credential stuffing, which spikes after a significant breach. When the Ashley Madison breach was announced, millions of credentials were available for hackers to test against websites all over the internet using bots. If those credentials were reused on multiple websites, the bots quickly gain access, alerting the hacker, who subsequently hijacks the account. Which explains why companies around the world see a massive spike in failed login attempts on their website after a major breach announcement and have to absorb the cost of verifying and unlocking accounts for genuine customers.

Ready for the good news? Distil Networks blocks every OWASP automated threat.


Previous Flipbook
Cyber Security Threat Series: Transaction Fraud eBook
Cyber Security Threat Series: Transaction Fraud eBook

Stealing money is just the start of the damage that can be caused by fraudulent payment card transactions. ...

Next Flipbook
Cyber Security Threat Series: Web Scraping eBook
Cyber Security Threat Series: Web Scraping eBook

If you have a website, its content has been scraped by bots. What are web scraping bots and how are they po...