Prevent Credential Stuffing Attacks

Credential stuffing is a new way of hackers attacking victims’ websites by running bots on the internet which try thousands of username and password combinations — to hack an account.

These attacks are generally run through pre-programmed bot web scripts, or they are coded by the hacker themselves if they have the coding knowledge.

With a 2% success rate, one million stolen credentials can take over twenty thousand accounts. The only thing we can do is educate ourselves, our colleagues, and our clients on preventing them in the first place.

Here is a list of 5 security checks to prevent credential-stuffing attacks.

5 security checks to prevent credential-stuffing attacks

Don’t let credential-stuffing attacks sneak past your defenses! Arm yourself with these 5 security checks to keep your login portal locked tight. From password complexity to multi-factor authentication, these checks will have hackers scratching their heads and moving on to easier targets

1. Rate limit login attempts

Rate-limiting login attempts are a great way to prevent credential-stuffing attacks.

It’s pretty simple: you can limit a user’s login attempts per minute, day, or period. You can even set up a grace period where users can try again if they fail to log in during the specified period. This way, attackers won’t be able to brute force their way into your system by trying hundreds of passwords at once.

2. Require strong passwords

Passwords are the keys to your kingdom, so they must be strong and unique. If you’re using the same password for multiple accounts, you’re more vulnerable to credential-stuffing attacks. Credential stuffing is a method of attack where hackers use leaked or stolen credentials from one service to gain access to another.

The best way to keep your accounts safe is to use different passwords for each account and ensure they are long and complex—at least 12 characters in length with a mix of letters, numbers, and symbols.

3. Implement multi-factor authentication

The best way to prevent credential stuffing attacks is to implement multi-factor authentication.

Multi-factor authentication requires users to provide two pieces of information to authenticate: something they know, like a password, and something they have, like a device that generates a one-time code.

Multi-factor authentication makes it much harder for attackers to gain access to your accounts because it’s exponentially more difficult for them to find out your second factor (and the codes expire quickly).

You can also use multi-factor authentication with other security measures, such as email verification checks.

4. Check for compromised credentials

When a credential stuffing attack occurs, checking for compromised credentials is essential. The best way to do this is with a password vault. A password vault allows you to store all your passwords in one place and then use different passwords for each site.

This prevents hackers from being able to access multiple accounts at once if they gain access to one account’s password.

5. Monitor and alert on suspicious activity.

Monitoring and alerting on suspicious activity are the easiest way to prevent credential-stuffing attacks.

This may sound like a no-brainer, but it’s pretty difficult to do right. A good monitoring system will be able to detect when something happens that doesn’t seem right—like a user logging in from an unexpected country or more than one user trying to log in at once.

When you detect suspicious activity, you can send an alert that tells you what happened and provides information about how likely it is that a real human being was involved (and, therefore, how likely this is just an automated attack).

If someone’s trying to log in with incorrect credentials repeatedly—or if they’re logging in from a completely different country each time—there’s probably something fishy going on.


By spotting unusual uses of your site, you can protect yourself and your users from credential-stuffing attacks.

While it’s safe to say that we’re not out of the woods yet regarding security, you can do a few things to protect your website and users. It all starts with a few simple things to keep an eye on, and security checks like these are a great place to start.

This is not an exhaustive list of ways to prevent an attack, but it’s a good starting point for any business that wants to protect itself online.

Don’t let a cyber threat get you down. Connect with AuthSafe today to protect yourself and your business against cyber threats.