← Lessons

quiz vs the machine

Gold1420

Security

Brute Force and Credential Stuffing Defense

Stopping attackers who guess passwords or replay leaked credential lists at scale.

5 min read · core · beat Gold to climb

The Two Threats

Brute force tries many passwords against one account, while credential stuffing replays username and password pairs leaked from other breaches, betting that people reuse passwords. Both are high volume automated attacks against the login endpoint.

Defenses

  • Enforce multi factor authentication, which defeats stuffing even when the password is correct.
  • Apply rate limiting and lockout thresholds keyed by account and by source to slow guessing.
  • Use a challenge such as a proof of work or captcha after suspicious activity.
  • Check passwords against known breached lists so reused leaked passwords are rejected at signup.

Detecting Attacks

  • Watch for a spike in failed logins spread across many accounts, a signature of stuffing.
  • Monitor logins from many distinct addresses hitting one account, a signature of brute force.
  • Alert on improbable success after many failures.

Key idea

Assume passwords are already leaked: require multi factor authentication, throttle and challenge suspicious logins, and reject known breached passwords.

Check yourself

Answer to earn rating on the learn ladder.

1. What distinguishes credential stuffing from brute force?

2. Which control most reliably defeats credential stuffing?

3. Which pattern signals a stuffing attack?