Passwords in Peril as Credential Stuffing Attacks Evolve
By now we know that technology doesn’t wait for the rest of the world to catch up. Hackers are counting on that lag time as they continue to move forward with their exploits. Over time their bags of tricks have evolved, becoming more sophisticated and more difficult to prevent. Poor password use, the Achilles heel of online security, makes credential stuffing attacks much easier. The “improvements” made by fraudsters who commandeer credential stuffing attacks isn’t good news, especially for those of us who are password challenged.
A credential stuffing attack, sometimes called password spraying, is something that takes very little effort to do. It’s a low risk, high reward crime that makes it appealing to bad actors who can use bots to do all the work. Bots can automatically and en masse inject breached passwords and usernames until a match is found. In the business world, research shows that smaller companies are targeted by credential stuffers more frequently than larger businesses. The attack success rates with small businesses is as much as 35%, while Fortune 500 companies have less than a 2% success rate.
Successful credential stuffing attacks are now easier to do thanks to improved hacking technology. It used to be more difficult for hackers to get their hands on password/user combinations, also called combolists. With today’s list of mega hacks and other breaches, combolists are easily found on hacking forums that link to billions of stolen credentials…many for free. Thanks to improvements, credential stuffing can bypass detection and risk assessment tools. For these and many other reasons, it’s more important than ever to get serious about password hygiene.
Tips to Help Avoid Credential Stuffing
- If you are notified or hear about a company breach where you have an account, immediately change the password even if you’re told your account was not affected.
- Use at least 8 different characters, numbers, and symbols for passwords. The more complex, the more difficult to crack.
- Each account must have its own unique, fortified password and username combination. Write the combinations down on paper, if needed, and keep them in a safe place.
- Always use two-factor authentication (2FA) or multifactor authentication (MFA) whenever possible. Doing so adds layers of security to account log-ins.
- Avoid using public Wi-Fi networks and consider getting a VPN (virtual private network.) Hackers love to hang out on public Wi-Fi and wait for users to log into an account to steal their credentials.