Credential stuffing: The password-hacking method you need to avoid

Credential stuffing: The password-hacking method yous need to avoid

A sign-in prompt on a screen, asking for a username and password.

(Paradigm credit: Iurii Stepanov/Shutterstock)

If you demand a reason — and in that location are many — not to reuse the same username and password for online accounts, you might showtime with improving your chances of avoiding a specific, just very common, type of cybercrime: the credential-stuffing assault.

Credential stuffing is a form of brute-strength password attack that takes reward of people who recycle their login information — i.eastward., their credentials — across multiple accounts.

Why you should never reuse a password
The best countersign managers to protect your online accounts

A 2020 report from Atlas VPN found that approximately three.6 million credential-stuffing attacks were launched every hour. While only a modest per centum were successful, the consequences are high: Credential-stuffing attacks toll $6.4 billion in damages from 2015 to 2020.

And then how does credential stuffing work, and how tin can you lot avoid it?

Credential stuffing 101

In a credential-stuffing attack, hackers take usernames and passwords that accept been leaked in data breaches and beginning plugging them into other websites in hopes of accessing poorly secured accounts.

This method is a animal-force attack of sorts because cybercriminals will try multiple sets of credentials on multiple accounts in what amounts to a fast-paced guessing game.

The difference from regular animal-force attacks is that the guesses aren't entirely random. Thanks to our tendency to recycle login credentials, the hackers take already acquired the usernames and passwords. They're merely non sure which accounts the credentials will unlock.

I primal unlocks many doors

Let'south say you use the aforementioned username and password for your primary email account, your online bank account, a social-media account and an business relationship on a shopping site.

At present let's say i of those four accounts is compromised in a data breach. The hackers now take the credentials to log into those other accounts of yours, which might contain sensitive data such equally credit carte du jour numbers, bank information or private messages.

These bad actors just have to effort hard plenty, for long enough, to find those other accounts.

That's where the automated tools come into play. The tools can hammer websites with thousands of login attempts per hour. They too can make malicious login requests wait legitimate, which may make it hard to notice when these attacks are happening.

While the success rate for any single credential-stuffing login attempt is estimated at between 0.1%, and 2%, your chances of falling victim aren't insignificant. If an automated tool can test 100,000 sets of credentials on a unmarried website, then the yield could exist between 100 and 2,000 accounts. You don't desire your accounts to be amidst them.

It's not like there'south any shortage of stolen credentials to piece of work with. The website HaveIBeenPwned, which lets y'all bank check if a password or usernames has been exposed in a data breach, currently holds nearly eleven.5 billion sets of compromised login credentials.

Major data breaches occur regularly and accept impacted companies like Facebook, T-Mobile, Microsoft, Walgreens and many more. Breach can exist vast —, everyone who had a LinkedIn account in 2012 had their login credentials stolen, and then did everyone who had a Yahoo account in 2013.

How to avert credential stuffing

The most important action you tin take right now — seriously, this minute — is to beginning changing your passwords. Get-go with any credentials that you use beyond multiple websites, ensuring that no passwords are repeated, especially if you rely on your e-mail or a small handful of usernames.

While you're at it, get ahead and practice some password-hygiene work on accounts that contain sensitive personal information, starting with anything hackers could use to steal your identity or your coin. That includes every banking or fiscal account, every website that has stored your credit-carte number and every social-media site.

Any of your credentials could exist compromised in a data breach, but using strong, unique passwords tin can assistance protect your accounts from being accessed via credential stuffing.

Hither are a few tips for protecting your online passwords:

Make your passwords unique. As we've mentioned, credential stuffing works because people tend to use the same passwords over and over. Don't practise this. Yous can also create additional usernames past setting up new email addresses for free in Gmail or Outlook.com.
Make your passwords stronger. Passwords should exist at least 16 characters long with a mix of upper-example and lower-case letters also every bit special characters or punctuation marks. They should also exist random — never use existent words or names or numbers that are relevant to you (such as your birthdate).
Set upwardly multi-factor authentication (MFA), as well known as two-factor authentication. This isn't nigh your passwords, per se, but MFA will preclude a hacker from logging into your account even if they accept your credentials. MFA requires y'all to provide a third item, such as a one-fourth dimension-use passcode or a hardware security key, if the website detects that yous're trying to log in from a new device or location. You'll as well exist notified if someone is trying to access an account without permission. MFA is considered one of the best defenses against credential stuffing attacks.

One reason we reuse basic passwords is because it'southward hard to call back many sets of complex credentials. A proficient password manager will store your logins and autofill them when you need them, so you don't have to memorize them or write them downward on paper.

Plus, the best password managers have generators for creating strong, unique passwords. Some likewise have security dashboards that permit you know if your info has been compromised in a data breach and which of your passwords have been reused.

Credential stuffing doesn't have to be an inevitable outcome of spending time online. You tin can minimize your adventure by cleaning upwards your usernames and passwords so that if 1 is compromised, the rest are non.

Emily Long is a Utah-based freelance writer who covers consumer technology, privacy and personal finance for Tom's Guide. She has been reporting and writing for nigh 10 years, and her work has appeared in Wirecutter, Lifehacker, NBC BETTER and CN Traveler, among others. When she's not working, y'all can find her trail running, teaching and practicing yoga, or studying for grad schoolhouse — all fueled by coffee, plainly.