Credential Stuffing

CREDENTIAL STUFFING

The problem: Bad guys hack a website and get thousands/millions of userids and passwords. The passwords were probably stored in an encrypted format but the userids never are. The bad guys then use special software to guess (aka "crack") the passwords. Given enough time, this software is likely to recover over half the passwords.

At this point the bad guys have not made a profit.

So, they try the recovered passwords, along with the stolen userids, at other websites. Many other websites. Many many other sites.

If the credentials (userid/password) work at a financial institution, the bad guys will try to steal money. If the credentials work at a social media site, the bad guys will scam everyone you know with some give-me-money-now story. If the credentials work somewhere that provides the bad guys your personal information, they will steal your identity and your life will be hell for quite a while. If the credentials work at a site that is embarrassing, expect to be blackmailed.

DEFENDING AGAINST CREDENTIAL STUFFING

The knee-jerk reaction to the above story is probably to have your password be in the group of passwords that could not be recovered. For that, you need to pick a long password, probably over 14 characters.

But if your password is recovered, the obvious defense is not to have used it anywhere else. This is one of the 10 Commandments of Defensive Computing - never re-use a password. If "never" is too high a bar, at least use different passwords with your most important systems/sites.

For more, see The word's best password advice.

Most advice-givers end here. Don't re-use a password. Simple. But, not complete.

It also best to not re-use a userid.

Many of us fall into this pattern: when we first went online, we had a userid that we used everywhere. Maybe someone named George who lived in New Jersey would go as JerseyGeorge online. George would use this userid with AOL, with AIM, with Bulletin Boards, etc. Over time, as new systems and websites came to be, George would sign up for everything as JerseyGeorge.

This is convenient but convenience is ALWAYS the enemy of security. Always has been, always will be. If George uses JerseyGeorge to log into the website or app of his bank, he is taking far too big a risk. An unforced error.

If you are thinking this is just more to remember, it is. Grow up. We are all on the hook for remembering/tracking hundreds of passwords already. Unique userids is a trivial added burden.

But, you may be thinking, what about all the websites/system where an email address serves as the userid? There are many ways for you have dozens/hundreds of different email addresses. That is covered elsewhere on this site: Multiple Email Addresses.

ARTICLES

January 11, 2024: What is credential stuffing and how do you keep your accounts safe from it by Katie Malone for Engadget. Things are bad. Okta says that nearly a quarter of all login attempts last year were credential stuffing. A Verizon analysis of data breaches in 2023 found that about half involved stolen credentials. The article suggests two things I disagree with: changing passwords frequently and using passkeys. It has the mandatory nag to use a password manager, yet like all such knee jerk advice, nothing about the down side of doing so. One good suggestion is to delete accounts you no longer use.

FYI: When and why you should use different usernames online by Stacey Harris for 1Password. December 3, 2021. Quoting "By separating your information with different usernames, you make it more difficult for potential hackers to gather a complete profile of you. There’s power in knowing what services someone uses, even if a hacker can’t access them." In large part this article is a plug for their service that generates random userids. That does not mean everything it says it wrong. Their service simply generates 4 words separated by dashes. No big woop, and probably overkill.