Person typing on a cell phone

What is credential cracking?

Cybercriminals use credential cracking to gain access to the lucrative login details of internet portals, online banking services, and internal corporate solutions. The stolen account information can be sold at high prices on the internet.

Sequence of an attack using credential cracking


A definition of credential cracking

In many respects, credential cracking is similar to credential stuffing. With both methods of attack, attackers rely on the use of password lists to gain access to online accounts. While with credential stuffing, however, leaked user/password combinations are tested to find valid logins on a variety of internet services, with credential cracking, the credentials are not yet completely known.

Thus, in credential cracking, attackers may only have a user name for a specific account used for payments. However, they don’t yet know the password. To find the password, online scammers use word and password lists that contain a huge number of the most common passwords. These lists are automatically processed by bots. Once one of the tested passwords works, attackers have full access to the affected account. Furthermore, another method that can lead to success is the brute force method, where bots try out different combinations of random letters or characters as the password for known user names or email addresses.

As with credential stuffing, cybercriminals benefit from the complacency of users who often use the same weak passwords for multiple services on the net. Due to these lax safeguards, brute force can be used to crack credentials with relatively little effort.


How does credential cracking work?

Cybercriminals rely on bots for credential cracking. These automated programs enable lists of passwords to be processed quickly and stealthily. If the attack were carried out manually, it would be relatively easy for system administrators to detect the many login attempts from a single IP address and take action against them. If, instead, an extensive botnet is used for credential cracking, such an attack would no longer be immediately apparent, since bots use different IP addresses and manipulated header data. This methodology enables bots to try out millions of possible logins and passwords in a very short time.

Since the effort involved in credential cracking is usually higher for attackers, this method of attack is mostly used in a targeted attack on a specific account, which attackers hope to profit from greatly. Credential stuffing, on the other hand, focuses more on the watering can principle, where a large number of cracked accounts ensures a high level of income on the darknet.

What are the consequences of credential cracking?

Depending on the extent of the attack, the affected companies can expect far-reaching consequences and high losses. Credential cracking usually targets extremely valuable accounts with wide-ranging access rights, which form a good basis for more extensive cyberattacks, manipulation, and industrial espionage.

Image loss

Affected customers and partners lose confidence in your company and look for alternative products and services from competitors. When in doubt, it takes years to rebuild trust once lost.

Image loss

Affected customers and partners lose confidence in your company and look for alternative products and services from competitors. When in doubt, it takes years to rebuild trust once lost.

Manipulation and espionage

If the stolen accounts are corporate accounts for CRM systems, for example, attackers can manipulate or steal sensitive company data. This misuse can cause lasting harm to companies and businesses.

Person works on a laptop


Which industries are affected by credential cracking?

Credential cracking is possible wherever login options are provided on the internet. However, websites with high volumes of transactions are the most lucrative for cybercriminals. For this reason, the accounts of banks, payment service providers, or even the tourism industry are usually the ones most affected. Attackers also focus on corporate accounts with wide-ranging access rights. Sensitive company data and trade secrets are at stake here.

How can companies protect themselves from credential cracking?

Defending against credential cracking involves the same measures as for credential stuffing. It is thus essential for companies to master a balancing act of security and usability for both cases. For one, wherever possible, complex and strict password security requirements must be introduced. For another, customers and business partners must not be put off by them.

In addition to password specifications and restrictions for common character strings and default passwords, an additional layer of security in the form of two-factor authentication (2FA) is also advisable.

Even if attackers should succeed in cracking the credentials, the account will still be protected by a 2FA code prompt, which can only be unlocked via a code application on the user’s phone or optionally via a code sent by text message code or the like. But even 2FA does not provide complete security. In the past, text message codes for 2FA have often been intercepted.

However, systematic control of bot requests has proven to be an effective means of protection against the misuse of credentials. Any suspicious attempts to access individual accounts can be reliably detected and blocked using bot management.

Myra protects your web services from credential cracking

With Myra Application Security and its integrated Deep Bot Management, Myra Security offers an upstream protection instance that protects web applications from credential cracking. High-performance Myra technology monitors, analyzes, and filters malicious internet traffic before virtual attacks cause any real damage.

About Myra Application Security