OWASP Automated Threats Explained - Credential Cracking | Credential Stuffing

December 29, 2016

Credential cracking and credential stuffing are two of the ways that hackers use bots to compromise your website security.

Credential cracking is an attack on the account login page of a website. Hackers start with a list of usernames, but no passwords. By dispatching their bot army, they use brute force to run a library of commonly known passwords with the list of usernames. If a login attempt is successful, the hacker changes the password and now owns the account, logging the real account holder out.

Even worse, those successfully cracked credentials are subsequently tested by the hacker manually against other sites on the internet. And because people reuse the same credentials across multiple sites, the hacker hijacks multiple accounts for one person. Joe must now contact all those other websites to unlock his accounts, which the company must handle courteously to prevent damaging the customer relationship.

When this technique of trying credentials on other sites is automated by bots, it is called credential stuffing, which spikes after a significant breach. When the Ashley Madison breach was announced, millions of credentials were available for hackers to test against websites all over the internet using bots. If those credentials were reused on multiple websites, the bots quickly gain access, alerting the hacker, who subsequently hijacks the account. Which explains why companies around the world see a massive spike in failed login attempts on their website after a major breach announcement and have to absorb the cost of verifying and unlocking accounts for genuine customers.

Ready for the good news? Distil Networks blocks every OWASP automated threat.


Previous Video
2017 State of Digital Publishers' Fight Against NHT
2017 State of Digital Publishers' Fight Against NHT

Watch the discussion led by The 614 Group and Distil Networks with commentary from industry luminaries abou...

Next Video
easyJet’s Journey to Protect Their Booking Engine from Unwanted Traffic
easyJet’s Journey to Protect Their Booking Engine from Unwanted Traffic

Join Anthony Drury, at easyJet, as he takes you their journey to protect their booking engine from unwanted...