OWASP Automated Threat (OAT – 007) Credential Cracking

Credential cracking is one of the ways that attackers use online bots to compromise your website security.

What is Credential Cracking?

Credential cracking is an online security threat that involves identifying valid login credentials by trying different values for usernames and/or passwords. Credential cracking is an online attack on the account login page of a website. In a credential cracking attack, bad actors make use of brute force, dictionary (word list), and guessing attacks against authentication processes of an application to identify valid account credentials.

Credential cracking is also known by the terms such as brute-force attacks against sign-in, brute forcing log-in credentials, brute-force password cracking, cracking login credentials, password brute-forcing, password cracking, reverse brute-force attack, username cracking, username enumeration.

The Symptoms of Credential Cracking

OWASP, the organization focused on improving the security of software, notes that there are several possible symptoms of credential cracking. These include,

1. Relatively high number of failed login attempts


2. Many requests containing variations on the account name and/or password


3. Elevated account lock rate


4. Increased customer complaints of account hijacking through help center or social media outlets

Sectors Targeted by Credential Cracking

The major sectors targeted by credential cracking include education, financial services, government, healthcare, retail, entertainment, technology and social networking.

OWASP, the worldwide not-for-profit organization focused on improving the security of software, says data commonly misused in such incidents include authentication credentials, payment cardholder data, financial data, medical data, personal data, intellectual property and other business information and public data.

If a login attempt is successful, the attacker changes the password and owns the account, logging the real account owner out. But, the problem does not end there, attackers with hijacked credentials will continue to other areas on the web, attempting to reuse the login credentials that are validated to virtually any other type of accounts.

Ways to Prevent Credential Cracking Security Threat

OWASP suggests several possible countermeasures to address the threat of credential cracking. These include,

1. Defining test cases for credential cracking that confirms an application will detect and/or prevent users from attempting to guess usernames and passwords.


2. Consider randomizing the content and URL’s of authentication form pages, linking these changes to an individual user’s session, verifying the changes at each authentication step and restricting any identified automated usage. This practice minimizes the potential for automated attacks since each route to access an account varies before a bad actor can entirely run through their scripted attack.


3. Identifying and restricting automated usage by fingerprinting before a credential cracking attempt can occur, identifying and restricting automated usage by reputation methods. For this practice, organizations should consider using geolocation and IP address blocklists to prevent access to authentication functions.


4. IT security and security management should restrict users from choosing either common or weak passwords, as those passwords are easy and effortless for bad actors to crack. It is a recommendation for companies to perform incremental account lockout to accounts with suspected login attempts.


5. Companies can also consider enhancing authentication by adding CAPTCHA or ReCaptcha, adding application-specific challenge questions, or using secure authentication such as two-factor authentication.


6. Organizations should consider even stricter security measures for users' having more sensitive permissions, such as moderators, system administrators, internal staff, etc.

Online businesses can also opt for a bot mitigation solution that prevents credential cracking and other OWASP automated threats in real-time without affecting any legitimate visitors. Bot mitigation is probably the most accurate solution for preventing OWASP Automated Threats and also ensure real-time protection against malicious bots.

By deploying these methods, you build a more robust defense against credential cracking and other similar security threats.