OWASP Automated Threats Explained - Credential Cracking | Credential Stuffing

December 29, 2016

Credential cracking and credential stuffing are two of the ways that hackers use bots to compromise your website security.

Credential cracking is an attack on the account login page of a website. Hackers start with a list of usernames, but no passwords. By dispatching their bot army, they use brute force to run a library of commonly known passwords with the list of usernames. If a login attempt is successful, the hacker changes the password and now owns the account, logging the real account holder out.

Even worse, those successfully cracked credentials are subsequently tested by the hacker manually against other sites on the internet. And because people reuse the same credentials across multiple sites, the hacker hijacks multiple accounts for one person. Joe must now contact all those other websites to unlock his accounts, which the company must handle courteously to prevent damaging the customer relationship.

When this technique of trying credentials on other sites is automated by bots, it is called credential stuffing, which spikes after a significant breach. When the Ashley Madison breach was announced, millions of credentials were available for hackers to test against websites all over the internet using bots. If those credentials were reused on multiple websites, the bots quickly gain access, alerting the hacker, who subsequently hijacks the account. Which explains why companies around the world see a massive spike in failed login attempts on their website after a major breach announcement and have to absorb the cost of verifying and unlocking accounts for genuine customers.

Ready for the good news? Distil Networks blocks every OWASP automated threat.


Previous Flipbook
Bot Detection And Defense For Mobile Apps | Data Sheet
Bot Detection And Defense For Mobile Apps | Data Sheet

Most APIs back basic capabilities for detect and block bots. Learn how Distil protects apps from bad bots a...

Next Article
Infographic: The Inconvenient Truth About API Security
Infographic: The Inconvenient Truth About API Security

The Inconvenient Truth About API Security: Infographic. Who should be responsible to API Security? API Dev...