- What is authentication?
- What is credential stuffing?
- What do auth attacks actually do?
- Are auth attacks dangerous?
- How do you defend against auth attacks?
- How to improve your overall online security
What is authentication?
When you interact with a web application, it can assign specific privileges to you if you log in to the application. This may involve creating a brand-new username and password or using a federated identity management system, like Google Sign-in, Facebook Login, and Log in with Twitter. However, the main reason why authentication (auth) attacks are so successful is that people reuse logins and passwords.
There are many authentication protocols that an application can use to grant you privileges, but the most common is using your login credentials (your username and password).
What is credential stuffing?
Credentials (e.g., a list of usernames and their associated passwords) obtained from a data breach can be used to attempt to log in to another unrelated service. This type of auth attack is called credential stuffing.
Credential stuffing attacks usually have, statistically speaking, a very low rate of success. Some estimates are 0.1% (once in a thousand attempts). What makes credential stuffing so lucrative is the sheer volume of credential collections being traded by attackers.
These collections can contain millions and in some cases billions of login credentials. If an attacker has one million sets of credentials, this could yield around 1,000 successfully cracked accounts. If even a small percentage of the cracked accounts yields profitable data (often in the form of credit card numbers or sensitive data that can be used in phishing attacks), then the attack is worthwhile. On top of that, the attacker can repeat the process using the same sets of credentials on numerous different services.
In this video from our Workforce Security Awareness training, CBT Nuggets trainer Keith Barker describes how to find out where your email address was compromised and when.
Interestingly, these credentials are likely worthless on the site where they were stolen. This is because when a breach happens companies reset passwords and alert their users. However, many people use the same password for multiple sites. It's the job of an auth (or authentication) attack to find out whether you used a breached password multiple times — and where.
What do auth attacks actually do?
Auth attack scripts don't grab data, steal money, or change settings. When the computer program finds a password that works, it immediately logs out. Its only job is to find out whether a password is active. Once it finds that out, the job is done.
The attacker will then attempt to log in with this list of millions (or billions) of credentials on lots of other websites. If the program finds that you used the same password for Netflix, LinkedIn, and Facebook, then there's a good chance you also used that password elsewhere — like your bank or retail accounts.
Are auth attacks dangerous?
Yes. They’re just as dangerous as any other type of cyberattack. Despite the fact that auth attacks enter and exit accounts immediately, they’re designed to steal the most important piece of data — your password.
How do you defend against auth attacks?
Luckily, auth attacks are easy to defend against. You can foil even the most sophisticated auth attack in three ways:
Find out if your passwords have been compromised. In our Workforce Security Training, CBT Nuggets trainer Keith Barker describes how to check whether your email address is out in the wild.
Use a different password for every website. With so many logins, it’s easy to get lazy with password diversity. Some recent surveys found that as high as 85 percent of people used the same password for multiple sites. However, doing so leaves you vulnerable to auth attacks.
Use two-factor authentication. Many online services now offer (or even require) two-factor authentication (2FA). With 2FA, you’ll be required to enter a number from an authenticator app, text message, or even phone call when you log into your account. Your most important accounts should be protected with 2FA.
How to improve your overall online security
Attackers are opportunistic. With all the glut of breached data floating around the internet, malicious actors aren’t spending too much time to attack any one account. To use an analogy, they aren’t trying to break into a car and hotwire it. They’ll be looking for the one with its engine running and the keys in the ignition.
By following basic password security protocols, you’ll keep attackers out and keep your personal data safe.