How to Defend Against Credential Stuffing

Credential Stuffing was our topic last week. If you missed it, here is the link. We discussed what it is, the steps hackers take, and how likely you are to be a victim. Other than not reusing passwords, we did not cover how to prevent falling victim to one of the most common attacks. Let’s look at how to stay safe from a credential stuffing attack.

Multi-factor authentication (MFA) is by far the best tool to defend against most password-related attacks, including credential stuffing. According to a Microsoft study, 99.9% of account compromises could have been prevented by MFA. In all possible situations, MFA should be implemented. MFA can stop logins from:

  • A new or unusual location
  • An IP address that has attempted to log in to multiple accounts
  • Specific countries that have been flagged as “untrusted”
  • IP addresses that are on known “blocked lists”
  • A new browser, device, or IP address
  • A login that appears to be scripted vs. being entered manually

We recommend layering additional measures in situations where MFA is not an option. For example, in addition to entering a password, you can also require a PIN, correctly answered security questions, and/or secondary passwords.

In addition to the above tools and not reusing the same password, we also recommend in any possible situations to use unique and unpredictable usernames. In credential stuffing, both the username and password must be used for the attack to be successful so you can stop the attack from spreading like wildfire by using a username that is not your email address.

For more information on defending against credential stuffing as well as other forms of attacks, reach out to your Pendello Solutions team today. Education and preparedness are more than half the battle, and we are your team to help you stay in the know. Give us a call and let us help you formulate a plan to prepare your entire organization.