The cheat sheet below condenses insights extracted from the OWASP article about credential stuffing prevention. This table aims to offer a concise and user-friendly overview that can be swiftly referenced for a quick grasp of key points. For further information, please visit OWASP – Credential Stuffing Prevention
| Topic | Key Security Points |
| Multi-Factor Authentication |
• Implement MFA across the application. • Use conditional MFA for specific situations (new devices, unusual locations). • Consider trusted IP ranges for enterprise apps. • Balance security and usability. |
| Alternative Defenses |
• Implement a combination of defenses. • Tailor defenses to user roles. • Strengthen protection for critical roles. • Layer defenses for enhanced security. |
| Secondary Passwords, PINs, etc. |
• Use secondary factors alongside other methods. • Enhance protection with added security questions or PINs. • Note that these methods don’t replace MFA, but supplement it. |
| CAPTCHA |
• Implement CAPTCHAs for suspicious login attempts. • Enhance security by requiring CAPTCHAs in risky scenarios. • Find the right balance between security and user experience. |
| IP Block-listing |
• Implement temporary IP block-listing for repeated failed attempts. • Separate per-user failures from brute-force protection. • Continuously update block lists from publicly available data sources. • Ensure temporary nature of block-listing to avoid legitimate user inconvenience. |
| Device Fingerprinting |
• Integrate device fingerprinting with other security measures. • Prompt for additional authentication if device fingerprint doesn’t match. • Be cautious of attackers spoofing client-provided data. |
| Require Unpredictable Usernames |
• Require users to create unique usernames during registration. • Generate usernames that aren’t easily guessable or based on personal info. • Prevent attackers from using known usernames. |
| Defense in Depth |
• Employ a layered approach with multiple techniques. • Slow down attackers relying on off-the-shelf tools. • Focus on comprehensive security posture to discourage attackers. |
| Multi-Step Login Processes |
• Introduce additional steps in the login process. • Require sequential username-password entry. • Use CSRF tokens to make attacks more complex. • Discourage attackers using simple tools. |
| Require JavaScript |
• Require attackers to evaluate JavaScript in responses. • Consider impact on accessibility, especially for users relying on screen readers. • Enhance security against basic POST request attacks. |
| Identifying Leaked Passwords |
• Utilize services like Pwned Passwords for proactive password checking. • Prevent use of passwords from breaches. • Protect users from reusing compromised passwords. |
| Notify users about security |
• Set up notifications for suspicious login attempts and failed MFA. • Notify users of active sessions and their details. • Empower users to take appropriate actions. • Enhance user security awareness through timely alerts. |