Credential stuffing

What to do?

Craig Loftus

You

  • password manager
  • generated passwords
  • unique to each site

Your users

  • password1£
  • reused everywhere
  • shared with friends etc

Credential stuffing

  • emails and passwords from breaches
  • tried one by one against other sites

Who cares?

FTC explicitly

GDPR implicitly

ICO (UK) guidelines specifically require protecting against

credential stuffing

NIST also recommends it directly

Stuffing

Talk about using web application firewalls (and others) to reduce the volume of attacks and guard against the more direct stuffing of credentials.

Credentials

Tackling the stuffing is not enough. We also need to

help users with poor credentials.

Passwords

Tackling the stuffing is not enough. We also need to

help users with poor credentials.

Pwned Passwords API

  • Service provided by Have I Been Pwned project
  • 517 million unique passwords
  • Uses a k-anonymity model

 

  1. Hash of the password 
  2. Pass first 5 characters of hash to the the API
  3. API returns all matching suffixes
  4. Search for full hash in returned list

django-pwned-validator

INSTALLED_APPS = [
    ...
    'pwned.apps.PwnedConfig',
]

AUTH_PASSWORD_VALIDATORS = [
    {
        'NAME': 'pwned.validators.PwnedValidator',
    },
    ...
]
$ pip install django-pwned-validator

But what about...?

  • Existing users
  • Conversions

But what about...?

In-active users

 

 

Credential stuffing - Pwned Passwords API

By Craig Loftus

Credential stuffing - Pwned Passwords API

  • 171
Loading comments...

More from Craig Loftus