The Key to Cyberattacks: Understanding Credential Stuffing and Online Password Cracking

In today’s digital landscape, cyberattacks targeting user credentials have become increasingly widespread. Among the most common methods used by attackers are credential stuffing and online password cracking, two distinct techniques that exploit weak or stolen passwords.

While both methods aim to gain unauthorised access to accounts, the tools, tactics, and motivations behind them differ significantly.

By understanding these different techniques, you can better protect yourself and your accounts from falling victim to cybercriminals.

What is Credential Stuffing?

Credential Stuffing is where an attacker tries previously stolen passwords and variations of them to gain unauthorised access to a new user account that hasn’t already been breached. Usually relying on passwords being used across multiple accounts, as an example, if someone was in a data breach, then if they shared that password with an account somewhere else, that new account can get breached too, like a Netflix or email account.

According to *LastPass, 62% of  people reuse passwords or use variations of the same password across many accounts, making this a very widespread problem. Credential Stuffing is why it’s often advised to keep passwords unique, so that even if one account gets breached, the rest don’t fall too.

*Taken from LastPass Psychology of Passwords 2022

Key Characteristics of Credential Stuffing:

• Relies on previously stolen credentials
• Involves automating login attempts at scale using bots or scripts
• Targets multiple accounts across various platforms
• Success depends on users reusing passwords across services.

Password Cracking 101

Online Password Cracking is where an attacker uses common known passwords and other techniques to discover a plain text password from a breach of credentials in which the password is obfuscated or  “hashed.

This can be very effective but does depend largely on the type of hash used by the website.

There are several techniques used for password cracking, including:

• Dictionary attack: this method involves the systematic use of commonly used words to guess user passwords
• Brute force attack: this method is like the dictionary attack, submitting many guesses with the hope of one being correct
• Lookup tables attack: attackers use tables of precalculated hashes of commonly known passwords to speed up their ability to crack large collections of hashed credentials. This is usually only effective when the passwords have not been hashed correctly using a cryptographic element known as a salt
• Spidering: this is by scraping company websites, personal details included in a data breach as well as pervious passwords, that can all be used to recover passwords, especially when the password hashes are slow to guess
• Spray attack: Trying common passwords across multiple accounts, making one or two attempts per account. This looks more like a legitimate attempt at login with less risk of detection.

Key Characteristics of Password Cracking:

• Focuses on guessing and deciphering a single password
• Utilises tools like brute-force, dictionaries, or lookup tables
• Can be a targeted attack, or a broad effort to recover as many passwords from a breach as possible. These are usually then sold on to other bad actors who use this information in password spray attacks, or phishing attempts.
• Success depends on the strength of the password hash and the attack method used.

What is the difference between credential stuffing and cracking?

While both credential stuffing and online password cracking are techniques used by attackers to gain unauthorised access to accounts, their methods, tools, and targets differ significantly. Understanding these differences is essential to grasp the unique risks each poses.

The primary distinction lies in how the attacker approaches the problem of access. Credential stuffing exploits existing data, relying on poor password hygiene, while password cracking seeks to generate or discover the password from scratch, requiring more effort and resources. In short, credential stuffing is about reusing passwords, while password cracking is about breaking passwords.

Implications for Businesses and Individuals

The threats posed by credential stuffing and password cracking extend far beyond just inconvenience. Both techniques can have serious consequences for individuals and businesses, affecting everything from financial security to brand reputation.

For Individuals	For Businesses
Account Takeovers Attacks can lead to unauthorised access to personal email accounts, banking and social media. This can result in identity theft and financial loss.	Financial Losses Attacks targeting company resources, can overwhelm servers leading to downtime. This disruption can be costly.
Privacy Violations A successful attack will leave sensitive personal information exposed – address, payment details, even private messages.	Reputational Damage Data breaches or successful attacks can wear away customer trust, impacting brand reputation and customer retention.
Emotional Impact The experience of having accounts compromised often leads to stress, frustration, and loss of trust in online services.	Compliance Risk Failing to protect user data adequately can result in hefty fines under data protection regulations (GDPR, NIS2).

For individuals, the key risk lies in the effect of reusing passwords across multiple accounts.

For businesses, the automation, use of bots and VPN’s and the scale of attacks make them particularly hard to detect and disguised as multiple failed login attempts. Since the bad actor is using legitimate account credentials, they will appear to be a genuine user, making it difficult to detect through traditional security measures.

In the event hackers can access a corporate network through a compromised account, such as belonging to an employee, they can take their time installing viruses, stealing data and gaining knowledge about the system to use in future attacks.

Defending against a cyberthreat

Protecting against credential stuffing and password cracking requires a proactive and layered approach to security. Both individuals and businesses have a role to play in building resilience against these attacks.

1. Use Unique, Strong Passwords 

• Avoid reusing passwords across multiple accounts
• Opt for long passwords with minimum of 12 characters
• Use passphrases of 4 or more words that are easier to remember but harder to guess

2. Password Security Managers

• A password security management can securely generate and store unique passwords for every account
• Identifying any breached passwords and vulnerabilities

3. Multi-Factor Authentication (MFA)

• Enabling MFA on accounts will reduce the effectiveness of credential stuffing attacks
• Using more than one authentication factor significantly improves security and protects against many common vulnerabilities and password reuse

4. Monitor for Data Breaches

• Regularly check if your credentials have been compromised using tools linking to a data breach database
• Update passwords immediately if your information appears in a breach

5. Stay Vigilant

• Be cautious about phishing emails or messages attempting to steal login credentials
• Regularly update software and systems to patch vulnerabilities that could be exploited by attackers.

Conclusion

Credential stuffing and online password cracking are reminders of the critical role strong password hygiene plays in cybersecurity. While these two attack methods differ in execution, they share a common weakness – reliance on poor password methods.

To safeguard yourself and your organisation, it’s essential to adopt proactive measures. Use unique, strong passwords for each account and store them securely in a password manager. Enable multi-factor authentication (MFA) wherever possible, as it adds a critical layer of security that can prevent both credential stuffing and online password-cracking attempts.

By prioritising password security and remaining vigilant, you can significantly reduce the risks associated with these threats, ensuring greater peace of mind in our digital world.