How to prevent credential stuffing (without wrecking your login UX)

Credential stuffing: the attack your login endpoint attracts

Credential stuffing is the automated injection of stolen username/password pairs into your login form to take over accounts at scale (OWASP). It works because people reuse passwords, and attackers can buy or trade breach dumps, then try them against your product with bots.

For product owners, it shows up as higher support tickets, unexpected fraud, and noisy analytics. For developers, it’s the slow creep from “a few failed logins” to “why is POST /login our hottest endpoint?”

Credential stuffing vs brute force (so you choose the right defences)

Credential stuffing is not “guessing” passwords. The attacker already has candidate credentials; they’re testing them cheaply and quickly.

That distinction matters because the winning bot usually isn’t the loudest. It’s the one that looks human-ish, spreads attempts across IPs, and keeps its success rate just high enough to be profitable.

The practical goal: prevent credential stuffing without wrecking login UX

You want two things at once:

1. Make automated logins expensive (slow, difficult, and measurable)
2. Keep real users moving (minimal friction on normal sign-ins)

The most reliable approach is a layered system: throttle, detect patterns, and step up only when risk is high.

A model that works: Detect → Decide → Respond

Use a simple loop you can tune from real traffic:

1. Detect signals (velocity, failures, IP/network risk, device changes, behavioural oddities).
2. Decide a risk outcome for this attempt.
3. Respond with Allow / Step-up / Throttle / Block.

This keeps product and engineering aligned: you’re not “adding a CAPTCHA”, you’re operating a decisioning system.

Rate limiting: do it per account and per network

NIST calls for a rate-limiting mechanism to constrain failed authentication attempts (NIST SP 800-63B). That’s table stakes, but it only helps if you apply it in the right places.

Aim for layered counters:

1. Per account identifier (email/username): catches distributed attacks rotating IPs
2. Per IP + subnet/ASN: catches bursts from a single network
3. Per device/session (when available): reduces “bot swarm” effectiveness

Concrete example policy:

1. POST /login: max 10 attempts/min/IP
2. Per account: max 5 failed attempts/15 min
3. After each failure: add backoff (0s → 2s → 5s → 15s)

This makes credential stuffing slower without instantly locking out legitimate users who simply mistype a password.

Detect the “shape” of credential stuffing (not just individual failures)

Credential stuffing has patterns you can spot across traffic:

1. Low success rate across many accounts (lots of tries, few wins)
2. Credential re-use bursts (same password tried against many usernames)
3. High fan-out from data-centre networks or suspicious ASNs
4. Normal-looking single attempts that become “normal-looking thousands”

OWASP’s cheat sheet recommends combining controls like throttling, bot detection, and step-up challenges rather than relying on a single barrier (OWASP Credential Stuffing Prevention Cheat Sheet).

Step-up verification: challenge only when it’s suspicious

If you challenge everyone, you’ll pay for it in conversion and complaints. Instead, trigger step-up when signals stack.

Useful step-up triggers:

1. 3–5 failed attempts on the same account in a short window
2. New device + unusual geo/time-of-day
3. Known risky network / automated fingerprints
4. Spraying/stuffing pattern detected across many accounts

Then respond clearly:

1. Step-up: require human verification (or MFA) and retry
2. Throttle: slow the actor down while keeping the endpoint stable
3. Block: when automation is obvious

Make MFA/passkeys the exit ramp

Credential stuffing feeds on passwords. The long-term fix is reducing how often a password alone can succeed.

OWASP notes MFA is one of the best defences against password-based attacks, including credential stuffing (OWASP MFA Cheat Sheet). UK guidance also emphasises technical controls over expecting users to invent “complex” passwords (NCSC password policy).

Practical product pattern:

1. If an account repeatedly triggers step-up: nudge enabling MFA/passkeys
2. If a login is high risk: require MFA, not “try again”

Optional: a “ship this sprint” playbook

If you need a starting point you can implement and tune:

1. Allow: known device/session + normal velocity
2. Step-up: ≥3 failures/10 min/account, or new device on a risky network
3. Throttle: exponential backoff on failures + per-account cap
4. Block: stuffing patterns (low success rate across many accounts) or clear automation

This gives you quick protection now, while keeping room for smarter decisions later.

Don’t forget adjacent endpoints (attackers love the side doors)

Credential stuffing pressure often spills into:

1. POST /password/reset
2. POST /otp/send / POST /mfa/start
3. Account recovery and email/phone verification

Apply the same Detect → Decide → Respond model to these endpoints, and rate-limit them separately (they’re a favourite for both fraud and operational disruption).

What to measure (so you know you’re actually preventing credential stuffing)

Track outcomes, not vibes:

1. Failed logins per account (p95/p99)
2. Step-up rate and pass rate
3. Login success rate (overall + by segment)
4. Time-to-login (p95)
5. Confirmed account takeovers/week
6. Infrastructure cost of auth endpoints during attacks

If step-up goes up but ATOs don’t go down, your triggers are wrong. If ATOs drop but time-to-login spikes, you’re over-challenging humans.

Where Humans Only fits

Humans Only is built for credential stuffing protection on high-value endpoints like login and password reset: fast (typically under 2 seconds), privacy-first (zero tracking), and simple to integrate.

You use Humans Only as a human verification and decisioning layer: most users pass straight through, while suspicious traffic gets stepped up, throttled, or blocked with clear analytics.

If you’re ready to prevent credential stuffing without turning sign-in into a side quest, Humans Only helps you Stop Bots, Welcome Humans.