Skip to content

How to prevent credential stuffing attacks

Written by

Last editedNov 20212 min read

A credential stuffing attack occurs when criminals use automated tools to stuff online forms with stolen credentials. Typically these will be either account login forms or checkout forms. Credential stuffing attacks are a very basic form of cyberattack. They can therefore be easily defeated by some basic security measures. Here is what you need to know.

The mechanics of credential stuffing

Credential stuffing attacks are really the digital equivalent of throwing darts randomly and hoping you hit the bullseye. A criminal will buy a package of stolen data. This could be either username and password combinations or payment data such as credit card details. They will then use automated tools to stuff these into forms, hoping to hit a valid match.

The introduction of 3D Secure (in 2001) made it much harder to undertake credential stuffing attacks on checkout forms for payment cards. It could not, however, protect against criminals attacking account login details and then accessing payment data and/or personal data.

How to detect credential stuffing

To ensure the highest level of protection for your website you should always assume that you are going to be attacked despite your precautions. This means you should always be monitoring for signs of a credential stuffing attack. 

In general, the best way to do this is to use a web applications firewall. WAFs monitor your host for signs of suspicious activity, including repeated failed login attempts. These are not necessarily a sign of a credential stuffing attack. They are, however, definitely a sign that something is potentially wrong and needs to be investigated.

How to prevent credential stuffing

There are several measures you can take to prevent credential stuffing. Ideally, you should use as many as you can. This will layer and strengthen your protection. Here are the main credential stuffing countermeasures you should consider.

Limit authentication requests

A legitimate user may mistype their password once or even twice. They should not, however, mistype it multiple times. It’s therefore both safe and reasonable to limit users to three failed login attempts. After this, you can impose a time-out and/or force them to reset their password.


These can be implemented in several ways. The most common one, however, is to ask the user to tick a box confirming that they are not a bot. Ticking the box gives the service permission to analyse what the user was doing just before ticking the box. This is often enough to tell if the box was ticked by a human or a bot.

Disable autofill

Disabling autofill does go against the conventional wisdom of making it easy for customers to do what you want them to do. On the other hand, it can significantly increase security and this is also appreciated. 

One potential compromise is to allow autofill on some fields but disable it on others. For example, you could autofill the delivery address but not the payment data.

Use multifactor authentication

Multifactor authentication essentially means requiring two or more pieces of information to authenticate the user. One of these pieces of information is usually a password. The other can be one of the following:

  1. The answer to a security question

  2. A one-time security code

  3. Biometric data

The problem with security questions is that they tend to be vulnerable to compromise in the same way as passwords. Biometric data certainly has potential for the future. Right now, however, it’s still working on gaining mainstream acceptance among consumers. Currently, the most popular option by far is the one-time security code.

One-time security codes can be delivered in one of three ways. These are:

  1. Text message

  2. Authenticator app

  3. Dedicated hardware (e.g. RSA token)

Realistically, very few businesses are likely to want to issue dedicated hardware. This leaves text messages and authenticator apps. 

Ideally, you should encourage your customers to use authenticator apps as these are more secure than text messages. Text messages are, however, a lot better than just passwords and they are accessible to people who don’t use smartphones.

We Can Help

If you’d like to learn more about credential stuffing attacks and how to avoid them, get in touch with our financial experts. Find out how GoCardless can help you with ad hoc payments or recurring payments.

Over 85,000 businesses use GoCardless to get paid on time. Learn more about how you can improve payment processing at your business today.

Get StartedLearn More
Interested in automating the way you get paid? GoCardless can help
Interested in automating the way you get paid? GoCardless can help

Interested in automating the way you get paid? GoCardless can help

Contact sales

Try a better way to collect payments, with GoCardless. It's free to get started.

Try a better way to collect payments

Learn moreSign up