Build fluency in the vocabulary of automated attackers retrying leaked login pairs against a different site.
0 / 5 completed
1 / 5
At standup, a dev mentions attackers taking a leaked list of username-password pairs from one breached site and automatically trying every pair against a login endpoint on a completely different site, hoping some users reused the same password. What is this attack called?
Credential stuffing is exactly this: attackers take a leaked list of username-password pairs from one breached site and automatically try every pair against a login endpoint on a completely different site, relying on how commonly people reuse the same password across multiple services. A hash collision is an unrelated hash-table concept about two keys sharing a bucket. This automated-retry-at-scale approach is exactly why credential stuffing succeeds even when the target site itself was never breached.
2 / 5
During a design review, the team adds rate limiting and anomaly detection to a login endpoint, specifically because flagging a burst of login attempts using many different usernames from one source catches credential-stuffing attempts before they succeed at scale. Which capability does this provide?
Rate limiting and anomaly detection here provide early detection of automated, large-scale login abuse, since a sudden burst of attempts across many different usernames from one source is a strong signal of credential stuffing rather than normal user behavior. A login endpoint with no rate limiting or anomaly detection at all lets an attacker try as many leaked pairs as they want without any resistance. This burst-detection behavior is exactly why rate limiting and anomaly detection are standard defenses against credential stuffing.
3 / 5
In a code review, a dev notices a login endpoint accepts unlimited attempts from the same source with no rate limiting or anomaly detection, letting a script try thousands of leaked username-password pairs per minute unchecked, instead of flagging that burst pattern as likely credential stuffing. What does this represent?
This is a missed opportunity to detect credential stuffing, since rate limiting and anomaly detection on login bursts would catch this automated abuse instead of letting thousands of attempts through unchecked. A cache eviction policy is an unrelated concept about discarded cache entries. This unlimited-attempts pattern is exactly the kind of gap a reviewer flags once a login endpoint is exposed to the public internet.
4 / 5
An incident report shows thousands of user accounts were compromised overnight, because a login endpoint had no rate limiting or anomaly detection to catch a script trying leaked username-password pairs from an unrelated breach. What practice would prevent this?
Adding rate limiting and anomaly detection on login bursts flags and throttles large-scale automated attempts before they succeed. Continuing to accept unlimited login attempts from any source regardless of how many accounts get compromised overnight is exactly what caused the mass compromise described in this incident. This burst-detection approach is the standard fix once a login endpoint is confirmed exposed to credential-stuffing attempts.
5 / 5
During a PR review, a teammate asks why the team adds rate limiting and anomaly detection to catch credential stuffing instead of simply requiring a stronger password policy, given that stronger passwords are also a well-known defense. What is the reasoning?
Rate limiting and anomaly detection catch the automated, high-volume attempt pattern regardless of how strong any individual password is, while a stronger password policy only helps if every user actually reuses a weak password, and does nothing to stop an attacker trying a leaked, already-strong password reused from another breached site. This is exactly why rate limiting and anomaly detection are the primary defense against credential stuffing, while password policy remains a separate, complementary layer.