What Is Password Stuffing, and What Can You Do to Protect Yourself Against It?

Credential Password Stuffing

A user has one of their online accounts hijacked, and the first thing they ask themselves is: 'How did the hackers get their filthy hands on my password?'. They're angry and they want answers. When the replies are delayed, they get even more frustrated.

It's a natural reaction, but let's stop for a moment and think about what it is like on the other side of the fence. Put yourself in the shoes of a service provider.

You've read countless blog posts, articles, and research papers. You've seen security specialists explain what you should and shouldn't do, and unlike many other online services, you don't think that a statement involving the words "security" and "seriously" is a tool for calming down hordes of angry users. Your connection is secure, your authentication system salts and hashes users' passwords and stores them securely. Your servers and all the software applications you use are monitored constantly and patched regularly. And yet, somehow, hundreds of your users got their accounts compromised, and you've no idea how that happened. Your users have most likely fallen victim to a credential (or password) stuffing attack.

Suffering the consequences of someone else's security shortcomings

Credential stuffing is the name of a multi-stage attack that is becoming more and more popular. It's made possible by the fact that far too many websites and online services don't do enough to protect users' sensitive data. Login credentials are stored in plain text, for example, and the databases they're put in are exposed to the World Wide Web without any form of protection.

For even less sophisticated cybercrooks, hacking these websites is child's play, and they try to scrape as many login credentials as possible. Leaked usernames and passwords are regularly traded on hacking forums as well, which is good news for the cybercrooks because in most cases, they use hacked databases from multiple websites to stage a single credential stuffing attack.

Trying to hijack accounts by typing all the usernames and passwords from a single IP will take years and will likely trip the lockout mechanisms on many websites. That's why, the cybercrooks use botnets (groups of compromised computers and devices connected to the internet) and scripts that determine whether the stolen credentials work. They don't try them on the websites from which they were stolen, though.

They try them on websites and online services where compromising an account could be much more lucrative. And because a vast number of people use the same password across multiple websites, the hackers' attempts are often successful.

Is it fair to blame it all on the user?

Most users know that they shouldn't do it. Many of them know that solutions like Cyclonis Password Manager will help them avoid it. Yet, they continue to use identical passwords for many accounts. You might say that they are to blame for the existence, and, more specifically, for the popularity of credential stuffing attacks.

The truth is, however, everybody has to pull their own weight. The fact that an online forum stores no payment information doesn't mean that its owner should neglect security. In much the same way, a user shouldn't feel comfortable knowing that the same string of letters and numbers protects both their online banking account and a forgotten profile at a social network nobody uses anymore. Everybody should be aware of the problem and should do what they can to fix it.

Let's be realistic, though, how likely is this to happen?

Well, consider this: it's easier than ever to create a website. In an attempt to get people to sign up, marketing departments the world over say that even your grandmother can do it. This is unlikely to change any time soon.

We realize that there are exceptions, but usually, grandmothers aren't best qualified to design a system that's centered around the user's security and privacy. Unfortunately, this is unlikely to change any time soon as well. Inevitably, one day, you will end up signing up for a website that someone's grandmother designed, and if you reuse your password, you'll soon be in a world of trouble.

So, like it or not, as a user, the ball is in your court.

By Duran
October 11, 2018
Password Security
English
October 11, 2018
Password Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Password Security

What Is Password Spraying and How to Protect Your Passwords Against It?

When we're talking about the security of our accounts, we usually talk about passwords because people often assume that if your password is compromised, your account is compromised. That's not completely true, though.... Read more

October 5, 2018
Password Security

How Instagram Accounts Get Hacked and How to Protect Yourself

Whether you're an Instagram personality or just a regular person using the platform to document snippets of your life, your account's security comes first. Just last month, Forbes noted that multiple Instagram users... Read more

May 16, 2018
How To

How to Password Protect Your Excel Files and Keep the Password Safe

You must have heard about the importance of personal information and data security many times before. It is not just about the login credentials for your accounts on various websites. You might also want to password... Read more

September 21, 2018
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.