[Owasp-leaders] https://www.owasp.org/index.php/Credential_stuffing

Rogan Dawes rogan at dawes.za.net
Tue Sep 20 18:02:44 UTC 2016

How you deal with mismatches is also a major consideration.

1. If you are performing complex device fingerprinting, using many
variables, then more severe actions might be taken, such as locking the

2. Using simple fingerprinting, with maybe 2 or 3 variables would require
that less stringent actions be taken, due to it's higher likelihood of a
false positive. In this case, maybe the source IP is blocked if it attempts
more than 3 user IDs.

I think you may have this backwards, or alternatively, there are multiple
interpretations. At the very least, i think it needs to be clarified

For example, 1. is missing under what circumstances action should be taken.
When the match fails, or succeeds? What sort of data points are to be
compared or recorded?

It seems to me that the more data points you compare on, the more likely
you are to get false positives. For example, the user upgrades their
browser, and the ua string changes accordingly, do we lock their account?

On Tue, 20 Sep 2016 at 6:39 PM Brad Causey <bradcausey at owasp.org> wrote:

> Great discussion so far.
> Would you folks mind taking a look over this and providing feedback?
> I intend to provide more detail on each subject, but first I figured we
> could agree on the primary defenses.
> https://www.owasp.org/index.php/Credential_Stuffing_Prevention_Cheat_Sheet
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160920/1b809f68/attachment-0001.html>

More information about the OWASP-Leaders mailing list