What Is Password Stuffing, and What Can You Do to Protect Yourself Against It?
A user has one of their online accounts hijacked, and the first thing they ask themselves is: 'How did the hackers get their filthy hands on my password?'. They're angry and they want answers. When the replies are delayed, they get even more frustrated.
It's a natural reaction, but let's stop for a moment and think about what it is like on the other side of the fence. Put yourself in the shoes of a service provider.
You've read countless blog posts, articles, and research papers. You've seen security specialists explain what you should and shouldn't do, and unlike many other online services, you don't think that a statement involving the words "security" and "seriously" is a tool for calming down hordes of angry users. Your connection is secure, your authentication system salts and hashes users' passwords and stores them securely. Your servers and all the software applications you use are monitored constantly and patched regularly. And yet, somehow, hundreds of your users got their accounts compromised, and you've no idea how that happened. Your users have most likely fallen victim to a credential (or password) stuffing attack.
Suffering the consequences of someone else's security shortcomings
Credential stuffing is the name of a multi-stage attack that is becoming more and more popular. It's made possible by the fact that far too many websites and online services don't do enough to protect users' sensitive data. Login credentials are stored in plain text, for example, and the databases they're put in are exposed to the World Wide Web without any form of protection.
For even less sophisticated cybercrooks, hacking these websites is child's play, and they try to scrape as many login credentials as possible. Leaked usernames and passwords are regularly traded on hacking forums as well, which is good news for the cybercrooks because in most cases, they use hacked databases from multiple websites to stage a single credential stuffing attack.
Trying to hijack accounts by typing all the usernames and passwords from a single IP will take years and will likely trip the lockout mechanisms on many websites. That's why, the cybercrooks use botnets (groups of compromised computers and devices connected to the internet) and scripts that determine whether the stolen credentials work. They don't try them on the websites from which they were stolen, though.
They try them on websites and online services where compromising an account could be much more lucrative. And because a vast number of people use the same password across multiple websites, the hackers' attempts are often successful.
Is it fair to blame it all on the user?
Most users know that they shouldn't do it. Many of them know that solutions like Cyclonis Password Manager will help them avoid it. Yet, they continue to use identical passwords for many accounts. You might say that they are to blame for the existence, and, more specifically, for the popularity of credential stuffing attacks.
The truth is, however, everybody has to pull their own weight. The fact that an online forum stores no payment information doesn't mean that its owner should neglect security. In much the same way, a user shouldn't feel comfortable knowing that the same string of letters and numbers protects both their online banking account and a forgotten profile at a social network nobody uses anymore. Everybody should be aware of the problem and should do what they can to fix it.
Let's be realistic, though, how likely is this to happen?
Well, consider this: it's easier than ever to create a website. In an attempt to get people to sign up, marketing departments the world over say that even your grandmother can do it. This is unlikely to change any time soon.
We realize that there are exceptions, but usually, grandmothers aren't best qualified to design a system that's centered around the user's security and privacy. Unfortunately, this is unlikely to change any time soon as well. Inevitably, one day, you will end up signing up for a website that someone's grandmother designed, and if you reuse your password, you'll soon be in a world of trouble.
So, like it or not, as a user, the ball is in your court.