The cheat sheet below condenses insights extracted from the OWASP article about credential stuffing prevention. This table aims to offer a concise and user-friendly overview that can be swiftly referenced for a quick grasp of key points. For further information, please visit OWASP – Credential Stuffing Prevention
Topic
Multi-Factor Authentication
Alternative Defenses
Secondary Passwords, PINs, etc.
CAPTCHA
IP Block-listing
Device Fingerprinting
Require Unpredictable Usernames
Defense in Depth
Multi-Step Login Processes
Require JavaScript
Identifying Leaked Passwords
Notify users about security
Key Points
Implement MFA across the application.
Use conditional MFA for specific situations (new devices, unusual locations).
Consider trusted IP ranges for enterprise apps.
Balance security and usability.
Use conditional MFA for specific situations (new devices, unusual locations).
Consider trusted IP ranges for enterprise apps.
Balance security and usability.
Implement a combination of defenses.
Tailor defenses to user roles.
Strengthen protection for critical roles.
Layer defenses for enhanced security.
Tailor defenses to user roles.
Strengthen protection for critical roles.
Layer defenses for enhanced security.
Use secondary factors alongside other methods.
Enhance protection with added security questions or PINs.
Note that these methods don't replace MFA, but supplement it.
Enhance protection with added security questions or PINs.
Note that these methods don't replace MFA, but supplement it.
Implement CAPTCHAs for suspicious login attempts.
Enhance security by requiring CAPTCHAs in risky scenarios.
Find the right balance between security and user experience.
Enhance security by requiring CAPTCHAs in risky scenarios.
Find the right balance between security and user experience.
Implement temporary IP block-listing for repeated failed attempts.
Separate per-user failures from brute-force protection.
Continuously update block lists from publicly available data sources.
Ensure temporary nature of block-listing to avoid legitimate user inconvenience.
Separate per-user failures from brute-force protection.
Continuously update block lists from publicly available data sources.
Ensure temporary nature of block-listing to avoid legitimate user inconvenience.
Integrate device fingerprinting with other security measures.
Prompt for additional authentication if device fingerprint doesn't match.
Be cautious of attackers spoofing client-provided data.
Prompt for additional authentication if device fingerprint doesn't match.
Be cautious of attackers spoofing client-provided data.
Require users to create unique usernames during registration.
Generate usernames that aren't easily guessable or based on personal info.
Prevent attackers from using known usernames.
Generate usernames that aren't easily guessable or based on personal info.
Prevent attackers from using known usernames.
Employ a layered approach with multiple techniques.
Slow down attackers relying on off-the-shelf tools.
Focus on comprehensive security posture to discourage attackers.
Slow down attackers relying on off-the-shelf tools.
Focus on comprehensive security posture to discourage attackers.
Introduce additional steps in the login process.
Require sequential username-password entry.
Use CSRF tokens to make attacks more complex.
Discourage attackers using simple tools.
Require sequential username-password entry.
Use CSRF tokens to make attacks more complex.
Discourage attackers using simple tools.
Require attackers to evaluate JavaScript in responses.
Consider impact on accessibility, especially for users relying on screen readers.
Enhance security against basic POST request attacks.
Consider impact on accessibility, especially for users relying on screen readers.
Enhance security against basic POST request attacks.
Utilize services like Pwned Passwords for proactive password checking.
Prevent use of passwords from breaches.
Protect users from reusing compromised passwords.
Prevent use of passwords from breaches.
Protect users from reusing compromised passwords.
Set up notifications for suspicious login attempts and failed MFA.
Notify users of active sessions and their details.
Empower users to take appropriate actions.
Enhance user security awareness through timely alerts.
Notify users of active sessions and their details.
Empower users to take appropriate actions.
Enhance user security awareness through timely alerts.