Heya,
Let’s talk about credential stuffing, a common form of attack against web applications. Credential stuffing targets usernames and passwords, which are still the lowest common denominator for online account access.
You’ll learn about the architecture, security controls, and implementation choices necessary to protect user accounts from credential stuffing attacks.
What Is Credential Stuffing
Credential stuffing is an automated attack where malicious actors use stolen username-password pairs from one service to attempt unauthorized access to other services. Unlike brute force attacks that try many passwords against one account, credential stuffing exploits the widespread problem of password reuse across multiple platforms.
Side note: please don’t reuse your passwords on any system you care about.
Preventing credential stuffing matters for customer identity and access management (CIAM) systems because their entire reason for being is to prevent unauthorized access to the applications they are part of.
This post focuses on defensive strategies for CIAM platforms hosting user accounts, not advice for individual users protecting their own credentials.
But first, why should you care about this specific attack vector?
Why Defending Against Credential Stuffing Matters
... continue reading