Credential Stuffing Prevention: What Actually Works in 2025
Credential stuffing used 3.5 billion stolen credentials last year. Rate limiting alone does not stop it. Here is what actually works.
Why credential stuffing is a volume game
Credential stuffing works because most people reuse passwords. After a breach of site A, attackers take those email/password pairs and try them automatically against site B, C, and D. Success rates are low — typically 0.1% to 2% — but on a breach of 100 million credentials, a 1% success rate means a million account takeovers. The economics work at scale even with low success rates.
What doesn't work (well)
CAPTCHA alone: Modern CAPTCHA solving services cost less than $1 per 1,000 solves. Attackers factor this in. CAPTCHAs slow them down but don't stop them.
IP blocking alone: Credential stuffing attacks use residential proxy networks with millions of IPs. Blocking individual IPs is a game of whack-a-mole. Blocking entire IP ranges causes collateral damage to legitimate users.
Rate limiting per IP: Proxy rotation defeats per-IP rate limits. Distributed attacks spread attempts across thousands of IPs to stay below any threshold.
What actually works
Multi-factor authentication: Even a valid username/password pair is useless to a credential stuffer if MFA is required. This is the single most effective control. TOTP adds a time-sensitive element that automated attacks cannot handle without real-time interception infrastructure.
Breach password checking at login: Check submitted passwords against the Have I Been Pwned API during authentication. If the credential matches a known breach pair, prompt for a password reset regardless of whether the login "succeeded." NIST 800-63B recommends this approach explicitly.
Behavioural anomaly detection: Flag authentication attempts that deviate from a user's established pattern — unusual geolocation, new device, unusual time, velocity anomalies. Require step-up authentication for flagged logins.
Passkey / FIDO2 adoption: Credential stuffing requires a password to stuff. Passkeys eliminate passwords from the authentication flow entirely. Not yet universally supported, but adoption is accelerating.
Use PassGeni's Breach Checker to verify whether your credentials appear in known datasets before attackers do.