OWASP Automated Threats

Identify valid login credentials by trying different values for usernames and/or passwords.

What is Credential Cracking?

Brute force, dictionary (word list) and guessing attacks used against authentication processes of the application to identify valid account credentials. This may utilize common usernames or passwords, or involve initial username evaluation.

The use of stolen credential sets (paired username and passwords) to authenticate at one or more services is OAT-008 Credential Stuffing.

Credential cracking is also known by terms such as brute-force attacks against sign-in, brute forcing log-in credentials, brute-force password cracking, cracking login credentials, password brute-forcing, password cracking, reverse brute force attack, username cracking, username enumeration.


The symptoms of Credential Cracking

  • 1
    Relatively high number of failed login attempts
  • 2
    Many requests containing variations on account name and/or password
  • 3
    Elevated account lock rate
  • 4
    Increased customer complaints of account hijacking through help center or social media outlets


Sectors targeted by Credential Cracking

  • Education
  • Entertainment
  • Financial
  • Government
  • Health
  • Retail
  • Technology
  • Social Networking


Can InfiSecure prevent Credential Cracking?

InfiSecure advanced bot engines can stop credential cracking fraud in real-time. Using the most advanced bot mitigation technology, InfiSecure can identify and restrict automated usage by fingerprinting the user agent for its unique characteristics and also restrict automated usage by reputation methods.