What is Credential Stuffing?
Credential Stuffing is a form of cyber attack whereby real user name & password combinations are leaked from any particular service, and then those same credentials are then trotted around and shoved mercilessly into every other service and website that they could possibly be used on in the hope that that person has reused the same password on another service. It is categorised within Brute Force by OWASP as the probing is done in the same way, but it is more targeted as it uses only the known pairs of user names & passwords across various systems.
Couple that with the enormous, curated list(s) of compromised credentials for sale on the darker side of the internet and we have a real problem. While I’ve never laid eyes on them, those lists are part of the source behind the fantastic website haveibeenpwned – which allows people to check their email or password to see if either turns up in these lists.
Important take aways from the idea of Credential Stuffing:
Use Mutli-Factor Authentication (MFA or 2FA)
MFA is becoming more and more available for good reason. Having a second login qualification that isn’t a “known” thing like a password has almost become a requirement.
Don’t reuse passwords for important systems
If you have unimportant accounts that you don’t mind: being taken away from you, being impersonated on those platforms, having all the personal information you’ve provided those services being harvested – then feel free to reuse passwords. But if you’d like to isolate each of your online accounts from each other in the likely case of a breach, you should avoid password reuse.
Avoid using simple and obvious incremental parts in your passwords
When the cat is out of the bag, curators and hackers can see your passwords. It then becomes trivial to raise or lower any numeric value, or append more numbers or exclamation marks.
Make use of a Password Manager
There are a bunch of different password manager offerings out there – some online and centralised, some offline and local to you and your computer only.
Online with cross-device syncing
These ones have had no known breaches: Keeper, DashLane.
These ones have had some issues: 1Password, Bitwarden, LastPass.
Offline / Local
KeePass – Windows only with a dated look, but is very useful and allows nesting of folders. It also has a very long list of unofficial versions for other platforms like Android, iOS, OSX, Blackberry and various browsers. KeePassXC is one of those versions and runs on Windows, Mac and Linux, and it looks lovely in comparison.
Swifty may turn out nicely, but it hasn’t reached release 1.0.0 yet, so we’ll see.
Online / Offline – which to choose?
I’ve long been a proponent of KeePass, but am currently road testing Keeper (as it’s a product we sell at here at TFCS). So far, it’s looking good. And it hasn’t been the subject of breaches unlike some of the other online offerings. It also has some good additional abilities like BreachWatch, which aims to help you stay ahead of internet breaches for your varied internet accounts.