What the Heck is Credential Stuffing?

Mar 19, 2021 | Security Products and Services | 0 comments

Credential Stuffing How many passwords do you use? 1? 2? 5?

Most people use a small number of passwords over and over again. There are people who only have a single password for every site they visit: email, banking, Canadian Revenue Agency, social media, dating sites–everything.

It’s easy to remember and manage, but it’s also like a house of cards ready to fall.

Credential stuffing is a very lucrative business venture for hackers. Let’s pretend that one of your accounts on any one of your sites gets hacked–an online merchant, the fitness app on your phone, that website you can’t even remember because you haven’t visited it in 5 years. The hacker probably also has your email address because that’s what we use as our username on almost all accounts these days. Worried yet? Probably not, but you should be.

Now let’s assume the hacker has an automated program that takes your email address and password and then tries to log into thousands of different accounts in the next 10 minutes: Facebook, Twitter, all Canadian banks, email systems, Amazon, Fitbit, the list goes on… Now you’re probably worried.

This is Credential Stuffing 101: once a company’s client base gets hacked, we try those same emails and passwords against hundreds of other sites and see which ones give us access. These verified logins are then sold on the dark web. If you might be one of these people, you there’s an easy way to find out to find out.

But what can you do to prevent Credential Stuffing? No one can remember hundreds of different passwords, right?

There are a couple of solutions to protect your identity, your bank account, and your life.

  1. There are people who use a mental combination of factors to create a new password for every site. These people are few and far between.
  2. Turn on Two Factor Authentication (2FA), sometimes called Multi-factor Authentication (MFA), on every account where it is available. This way you need to provide 2 answers to get into a system. Weak ones follow your login by asking for the name of your first pet or your mother’s maiden name. Stronger MFA options send you a verification code to your cell phone that you have to enter. That way you not only know your password but you have your phone (which a hacker shouldn’t unless you left your phone unlocked on a chair at Starbucks).
  3. Use a Password Safe. Chrome and other browsers include a password safe but you can also get a standalone password safe that works with any browser and any device and which you can share with your family to store your NetFlix code or recover your financial accounts if someone is in the hospital. Password safes work because:
    1. They can generated random sequence passwords that are strong and different for every single site you have an account on.
    2. They only require you to remember one master password when you first unlock the safe’s vault. This is only required you first open a browser or reboot your machine, or (if you want) after a certain time window or when you unlock your device.
    3. Your passwords are encrypted by your master password and are safely stored both in the cloud and on your device. Without the master password there is no way to unlock your vault (so never forget your master password).

LastPass is a popular safe with additional features and has an enterprise option for use in an entire company (for example, your work login will also unlock your vault).


Check Out These Related Posts



Submit a Comment