Credential Theft: How It Works and How to Mitigate It

Written by Mike Ranellone on October 27, 2019

Share This Article

In the spirit of National Cybersecurity Awareness Month, we’re running a three-part series on how to shore up identity security and help prevent a data breach. In our first post below, we’ll take a look at how credential theft really works and how to combat it. Stay tuned for guidelines on controlling broad permissions, plus how to increase security with cloud-based software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), and platform-as-a-service (PaaS) solutions whenever possible.

Although cyberattacks have evolved in their targeting methods and external appearances, they often exploit a familiar set of organizational vulnerabilities. The National Institute of Standards and Technology (NIST) confirms that many data breaches and other cybersecurity failures trace back to a “relatively small number of root causes.”1 Given the relatively predictable patterns in these attacks, cybersecurity professionals often find themselves surprised when yet another garden-variety threat makes news by succeeding with a massive data breach. In these scenarios, hindsight tends to reveal that the attack could’ve been prevented if the affected organization(s) had more carefully followed standard security hygiene practices like patching operating systems and apps or protecting identities by adding multi-factor authentication (MFA).

Beyond timely installation of security patches, identity security best practices constitute another common missed opportunity and represent one of the most important steps toward preventing a compromise. Cyberattacks that have the power to breach data centers and destroy assets sometimes use stolen credentials to access and traverse a secure environment, so it’s crucial to reinforce authentication systems wherever possible. With a better understanding of how credential theft works, we can determine which precautions will be most effective at mitigating it. 

Common Credential Theft Techniques 

It’s a common misconception that enforcing password length and complexity requirements will do enough to keep credentials secure. A closer look at how credential theft works in practice, though, helps to underscore how password length and complexity alone are often insufficient protection against an attack. In fact, almost all effective methods of credential theft (other than password spray and brute force cracking) involve stealing the user’s exact password rather than randomly guessing it. Modern ransomware often scrapes passwords from data sets it has captured, and research has found 12 million corporate credentials are for sale on at least 20 dark web marketplaces.2

Methods for stealing and utilizing credentials can be more complex than the easily spotted phishing scams of yesteryear. Modern “spear” phishing attacks sometimes deploy enough personal information and context to make even a wary user think a request for credentials is legitimate. Along with phishing and list cleaning via ransomware, keystroke logging, in which malware virtually watches a user type in their password, is another method of credential theft that works regardless of password complexity.3  

An organization’s resources can be compromised by credential theft even if those resources haven’t been directly targeted and harvested. This can happen if a user shares a password (or slightly different versions of the same password) across a variety of accounts. Their credentials might be well-protected at work, but they could be stolen from a less-secure personal account and used in an attack later. 

To a degree, password complexity does help to combat brute force attacks, the credential theft technique in which a series of possible passwords are tested on a list of known usernames. But because modern authentication systems lock after more than a few incorrect login attempts, attackers can only try a handful of password guesses for each account. They succeed when they stumble upon an account whose extremely simple and popular password matches their lucky guess. With this in mind, we can say that increasing password complexity beyond a bare-minimum baseline offers diminishing returns. 

Combatting Credential Theft  

Advanced email and browser protections can go a long way toward preventing credential theft and minimizing the value of stolen credentials to attackers. A single sign-on (SSO) solution, for example, means users only have to keep track of one set of credentials that grant them access to email and web apps. Combined with education about the dangers of password sharing, SSO helps reduce the likelihood that end users will compromise password security for the sake of convenience. 

Multi-factor authentication (MFA), in turn, helps to render stolen credentials useless. Because MFA requires a user to enter a second form of identification for access, often a temporary code sent securely to a separate device like the user’s smartphone, a stolen password on its own isn’t enough to breach an account. Enabling MFA in every possible instance may be the single most effective action IT departments can take to combat credential theft. 

Beyond email and browser precautions, IT admins should also check on existing network controls. On-prem WiFi access should be secured with an up-to-date RADIUS server, and each user should access the internet with individual credentials rather than a communally shared password. The same password standards apply for on-site file storage and other LAN resources. 

Streamlined Identity Security 

Combining the above measures into one streamlined identity solution could save your IT team a significant amount of time and manual labor, not to mention the smiles of relief you’ll see on employees’ faces when the next big wave of cyberattacks skips your organization on its way to the news cycle. Learn more about how JumpCloud can automate MFA deployment and help fight credential theft.   


  1. “Critical Cybersecurity Hygiene: Patching the Enterprise.” National Institute of Standards and Technology. Accessed Oct. 18, 2019.
  2. Simos, Mark and Jim Moeller. “Mitigating Rapid Cyberattacks (Petya, WannaCrypt, and Similar).” Microsoft. PowerPoint Slide Deck. Accessed Oct. 18, 2019.
  3. Weinert, Alex. “Your Pa$$word Doesn’t Matter.” Microsoft Tech Community. Aug. 9, 2019.     
Mike Ranellone

Mike is a writer at JumpCloud who's especially interested in the changing role of tech in society. He cut his teeth in the ad agency world and holds an M.F.A. in creative writing from the University of Colorado-Boulder and a B.A. in English and music from St. Lawrence University in Canton, NY. Outside of JumpCloud, he's an avid skier, cellist, and poet.

Continue Learning with our Newsletter