Many people get confused between brute force attacks and credentials stuffing. To help clear this up, here is a simple description of the two. These are both in regards to the login form only.
Brute Force
Brute force attacks on the login form consist of the attacker having a defined list (called a dictionary) of potential passwords. The attacker will then try each of these defined passwords with each username the attacker is trying to brute force. Put simply, this is a 1 (username) too many (password) attack.
A common mitigation to brute force attacks is the implementation of account lockout. In this case, after 3, or 5, or 10 failed attempts for a single username, the user account is locked to block any more attempts. This drastically reduces the number of passwords that may be tried in a short period of time.
Credential Stuffing
Credential Stuffing is another attack on the login form but it differs from a brute force attack in that the list used contains both a username and a password. This list is often obtained through a data breach at another organization. The purpose is to find accounts that are re-used across multiple sites. In this case, the attack is a 1 (username) to 1 (password) attack. For each username, only one password will be attempted.
Unlike with Brute Force, account lockout doesn’t have much affect on credential stuffing. Multi-factor authentication is a good mitigation as it will limit the use of valid credentials.
Leave a Reply
You must be logged in to post a comment.