What is credential stuffing
Credential stuffing is a subcategory of brute force attacks. Both involve the cybercriminal using bots to try thousands of passwords to crack into the target’s account. However, there’s a big difference between the two. While in a brute force attack, hackers try to guess the password with no clues whatsoever, cybercriminals already have access to at least one of your credentials in a credential stuffing attack. They use those credentials (or similar ones) to hack into other popular websites, such as streaming services and ecommerce platforms or your company’s servers. But let’s get into the most important part – what can you do to protect yourself from this threat?
4 ways to protect your accounts from a credential stuffing attack
Have unique passwords
The best way to make sure a hacker doesn’t access multiple accounts when they get their hands on one of your credentials is to have completely different passwords for all your profiles – stress on the word completely. Even if you have distinct passwords, it won’t work if they’re similar, as a cybercriminal will be able to crack them within hours.
It’s extremely easy to have random passwords for all your accounts with a password manager like 1Password. By taking advantage of its password generator tool, you can create lengthy passwords with all character types, including capital letters, numbers, and symbols. And don’t worry about the time you’ll spend typing those credentials. Password managers either come with autofill or allow you to copy the information with one click.
Use dark web monitoring
Another essential aspect of credential stuffing protection is to know about company leaks. Unfortunately, you don’t have any control over websites being hacked. Service providers are responsible for having security measures to ensure cybercriminals can’t access their clients’ data. However, companies don’t always follow best practices, and data breaches happen even to the biggest service providers out there.
The only thing you can do is make sure none of your accounts have been leaked on the dark web. You can do this manually by visiting the website Have I Been Pwned and typing your email. However, it’s far more productive to have a password manager do this for you. 1Password is an excellent example of a platform that constantly browses the dark web to find your credentials. If it does find them, it gives you a visual warning to change your password as soon as possible.
Enable multifactor authentication
Multifactor authentication is a great way to keep hackers at bay regardless of the type of attack. If the cybercriminal can get your credentials, they’ll need other types of information to actually access your account. These can be a pin, security question, code sent to the account owner’s phone, fingerprint, and the list continues.
Sadly, not all websites support multifactor authentication. Even so, you should enable this option on all apps that allow it. This way, the hacker won’t be able to access your account, and it will be harder for them to spill credentials onto other websites.
Delete zombie accounts
It’s easy to forget about accounts you haven’t used for months. But the truth is that they’re still there and are more likely to be affected by a data breach. A great example of that is Myspace, the social media website that was everything back in the 2000s and is now only used by a select few. Most people shifted to Facebook but forgot to delete their Myspace profiles. In 2013, millions of inactive accounts were breached when the company was hacked. Long story short, if you aren’t planning on using an account again, just delete it.
At the end of the day, any website can become the next target of a cybercriminal. If you don’t protect yourself from credential stuffing, a website that doesn’t even have your private information can quickly become the fuel that makes your life go up in flames. So, make sure to follow password hygiene best practices and enable multifactor authentication.
User feedback