Just some thoughts about credential stuffing attacks: how to check and prevent them

People reuse passwords all the time. How can i check and prevent credential stuffing attacks?

Recently i've read this article by Brian Chappell on SC Media UK:

Credential stuffing: People reuse passwords all the time. Shocker, I know.

In BeyondTrust's Annual Privileged Access Management survey, conducted between May and June 2017, 474 IT professionals told us that nearly half of them, 49 percent, reuse passwords across multiple systems.

Our respondents weren't ignorant to the threats of such behaviour. Nearly three quarters, 73 percent, called the practice a considerable threat, along with password sharing and using default or weak passwords. Nor were their fears merely academic. A fifth, 20 percent, said that password reuse caused frequent security issues, as did 22 percent of respondents when talking about password sharing.

But...what is Credential Stuffing?

Credential stuffing is the automated injection of breached username/password pairs in order to gain access to user accounts.
This is a kind of brute force attack: large numbers of leaked credentials are automatically entered into websites until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes.

More information from OWASP website:

Credential stuffing is a new form of attack to accomplish account takeover through automated web injection. Credential stuffing is related to the breaching of databases; both accomplish account takeover. Credential stuffing is an emerging threat.

Credential stuffing is dangerous to both consumers and enterprises because of the ripple effects of these breaches. For more information on this please reference the Examples section showing the connected chain of events from one breach to another through credential stuffing.

Anatomy of Attack

The attacker acquires spilled usernames and passwords from a website breach or password dump site.
The attacker uses an account checker to test the stolen credentials against many websites (for instance, social media sites or online marketplaces).
Successful logins (usually 0.1-0.2% of the total login attempts) allow the attacker to take over the account matching the stolen credentials.
The attacker drains stolen accounts of stored value, credit card numbers, and other personally identifiable information
The attacker may also use account information going forward for other nefarious purposes (for example, to send spam or create further transactions)

How can I carry out this kind of attack during a security assessment?

Karim Shoair has developed Cr3dOv3r, a python script that automatize this process:

Cr3dOv3r simply you give it an email then it does two simple jobs (but useful) :

- Search for public leaks for the email and if it any, it returns with all available details about the leak (Using hacked-emails site API).

- Now you give it this email's old or leaked password then it checks this credentials against 16 websites (ex: facebook, twitter, google...) then it tells you if login successful in any website!

Installation

First, clone the GetHub repository:

git clone https://github.com/D4Vinci/Cr3dOv3r.git

Then resolve the dependencies:

cd Cr3dOv3r
pip3 install -r requirements.txt

Finally, start the tool:

python3 Cr3dOv3r.py -h
usage: Cr3d0v3r.py [-h] email
positional arguments:
  email       Email/username to check
optional arguments:
  -h, --help  show this help message and exit

How i can avoid Credential Stuffing attacks?

I suggest to read this article on OWASP:

It should be noted that defense mechanisms are intended to be used in a layered approach. In most cases, a single defense option would be inadequate to stop most Credential Stuffing attacks.

In many cases, brute force protections will overlap with credential stuffing defenses.