What is credential stuffing?

image of a tablet with a login screen - Destination Certification

Every security professional knows that we need strong and unique passwords for each of our accounts. But why do they have to be unique? One reason is due to credential stuffing.

It works like this: You have an old account at Example.com that you forgot about some time in 2006. However, you kept using the same username and password across a bunch of your other accounts. Example.com suffers a data breach somewhere along the road and your Example.com username and password end up on a darknet marketplace alongside the other customer records.

Some people may think that it’s not a big deal if such an old account becomes compromised. After all, much of the information is probably outdated by now. However, hackers can buy whole databases of usernames and passwords. Even if the Example.com accounts aren’t particularly valuable, the hackers can rely on the same old human flaws to seek out value elsewhere.

Hackers know that people often reuse usernames and passwords across many accounts, and they use this knowledge to try and compromise these other accounts. Let’s say that your username for Example.com is user123 and your password is abcde12345. The hackers will then try this login information on every website that may be valuable to them. They can try it on Gmail, Facebook, Amazon, PayPal, your bank, and the many other accounts that normal people use.

If you had reused the same username and password across any of these accounts, then the hackers could gain access. Once they have compromised an account they can profit from it in a variety of ways. In the case of Amazon, PayPal, or a bank, it’s pretty straightforward how they can extract value—they can simply buy things with your account. Taking over someone’s email or social media account may require a few extra steps for hackers to eke out some form of financial gain.

Hackers don’t tend to just try this on a single person and give up if it doesn’t work. They buy huge databases of usernames and passwords and then launch these attacks at scale, automating much of the work. It’s this scale that can truly make credential stuffing a profitable venture, even if the individual success rate is relatively low.

Credential stuffing vs. brute forcing

Note that credential stuffing is different to brute forcing passwords. In credential stuffing attacks, hackers aren’t trying every possible password combination on a single website—this approach would often get defeated by a website’s limits on the number of login attempts. Instead, the hackers are just trying the matching usernames and passwords from their database across multiple websites, and doing so for the thousands of users whose data is within the database.

Protecting users against credential stuffing

Unique passwords are an antidote to credential stuffing, but it can be difficult to force users to adopt them. After all, you aren’t going to know if they have already used a password elsewhere. However, there are a few things that you can do to encourage unique passwords:

  • Security training to highlight the risks of credential stuffing and why unique passwords are necessary.
  • Give users tools that facilitate the easy use of unique passwords, such as password managers.

On top of this, you should also enforce multi-factor authentication. Even if users stubbornly reuse passwords, having this additional layer of security can short-circuit credential stuffing attacks.

Image of the author

Cybersecurity and privacy writer.

Would you like to receive the DestCert Weekly via email?

Your information will remain 100% private. Unsubscribe with 1 click.

Page [tcb_pagination_current_page] of [tcb_pagination_total_pages]