- Credential stuffing is a common cyberattack where stolen usernames and passwords are used to gain unauthorized access to multiple accounts.
- To protect yourself against credential stuffing, create complex and unique passwords for each service, use a password manager, enable multi-factor authentication, and delete or secure unused accounts.
- Using an email alias service can also help protect against credential stuffing by concealing your primary email address.
There is a good chance you’ve never heard the term “credential stuffing” used before, but that doesn’t mean you haven’t been the target of the widespread and effective cyberattack. Here’s what credential stuffing is and how you can easily protect yourself against it.
This Cybersecurity Awareness Week article is brought to you in association with Incogni.
What Is Credential Stuffing?
There are all manner of cyberattack vectors out there, ranging from the profoundly simple to the profoundly sophisticated. On the simplest side of things, you have attacks like social engineering exploits where malicious actors use social skills and the goodwill of other people to gain access to logins, sensitive information, and so on. You don’t have to know your cryptographic salt from your table salt to pull off a successful social engineering attack.
On the more complex side of things, you have attacks that require the malicious actors to break through multiple layers of security, abscond with data, and work to unpack that data later.
Unpacking that data, specifically when the data is a collection of usernames or email addresses and the associated passwords, is the first step in launching a credential stuffing attack. Here’s how it works and how it can personally affect you.
Let’s say you, like millions of other internet users, have dozens of accounts across various services. You also have several high-value/high-risk logins, like the logins for your email, bank, etc. And you have a lot of low-value/low-risk logins like, say, the login for a muscle car forum you’ve been using on and off for years, an account you made for some coupon site, and so on.
Hopefully, your bank and your email provider have excellent security. High-value targets are usually appropriately hardened and the chances that anybody will successfully attack Bank of America or Gmail and gain access to all the usernames and passwords is pretty low. But the same can’t be said for that car forum or that coupon site. What happens when someone exploits those sites and steals all the user data? Now they have your username, most likely your email, and your password.
Malicious actors will feed that data into automated systems that visit thousands of high-value/high-profile targets and attempt to log in using the stolen credentials, “stuffing” them to see where they fit.
If you reuse the same usernames, email, and passwords everywhere you go online, you’re in trouble. A leak at the lowest-risk service you use now becomes a backdoor into all the high-value services you use, like your email inbox and your bank.
There isn’t a direct analog in the physical world, but if there were, it would look like using one key for everything. If you lost your key or somebody made a copy of it, they’d have a key that worked for your home, car, office, storage unit, safe deposit box, gym locker, and everything in between. It might even open the door to your folks’ place, too. Clearly, that’s not ideal, and there’s a reason we don’t use physical keys that way.
How Can I Protect Myself Against Credential Stuffing?
Credential stuffing might be incredibly common and incredibly easy to execute compared to more complex cyberattacks, but it’s also, thankfully, incredibly easy to protect against. Let’s look at how you can avoid being victimized by credential stuffing attacks, starting with the simplest low-hanging fruit changes and moving onto tips that require a little more investment and planning.
Create Complex and Unique Passwords
If there is one thing you will hear over and over again while learning about good password practices, it is that you should be using complex and unique passwords for every single service you use, and for good reason. The most effective thing you can do to defeat the whole “one key opens every door” problem is to, naturally, have a very large keyring with a dedicated key for every virtual door in your life.
If you have been using the same password or handful of passwords since you opened your first email account decades ago, there’s no time like the present to adopt this crucial new password habit. Every site and service gets a unique password, with no exceptions.
Automate Your Passwords with a Password Manager
If you’re using the same passwords repeatedly, you’re likely not using a password manager. This means you might have bristled a bit when you read over our suggestion in the last section to use a unique password for every service. Maintaining a complex and unique password for dozens, let alone hundreds, of services is an absurdly difficult undertaking without tools to help you.
Enter the password manager. Create one complex but memorable password to unlock the password manager and then let the password manager handle the rest.
A good password manager will help generate unique and complex passwords, track them, automatically fill them into sites when you visit them, and even help you routinely update them. If you’re not using a password manager, you’re missing out on an astounding quality-of-life boost and one of the best things you can do to shore up the security of your accounts.
If you’ve never used a password manager before, do check out our guide to getting started with password managers. It covers common questions and will give you a sense of what day-to-day life with a password manager is like.
Enable Multi-Factor Authentication Everywhere
A lot of folks are resistant to multi-factor authentication because they view it as a hassle. But it’s a fantastic way to add an additional layer of security to your accounts. Even if you have the not-so-great habit of reusing passwords, if your critical high-value accounts all have multi-factor enabled, you’re protected against credential stuffing.
The malicious actor might have lifted your username and password from a vulnerable site, but they won’t have access to your authenticator app, phone, or other multi-factor tools.
Purge Old Accounts to Reduce Risk
If you’re not using an account, delete it. Because there is no physicality to online accounts (they aren’t cluttering up your office or overflowing from your kitchen junk drawer), it’s easy to just ignore the old ones. But if you’re not using an account, there’s no real reason to keep it around.
When you can, delete unused accounts for services you no longer care about. And when you can’t, be sure to log in and change your password (using the password generator in your handy password manager, of course). That way when the unused service is compromised, the only thing that leaks is a unique complex password that doesn’t work anywhere else.
Use An Email Alias Service
Not everyone will want to deal with the extra steps involved, but we’re very strong proponents of using an email alias service to protect yourself online. The short of it is this. Rather than putting your primary email address into every single service that demands it—you know that coveted firstname.lastname@example.org address you scored years ago—an alias service allows you to create an unlimited number of email addresses to feed into services big and small.
Need to sign up for yet-another-service for your kid’s school, some app, or any other service demanding an email address? Keep your primary email address private and sling a unique email at them.
Then you can toss it in the trash the second they start spamming you or when you deactivate the service. Not only is an email alias service great for your privacy and keeping your inbox uncluttered, but if the service you signed up for is compromised, you’re fine. The hackers don’t get email@example.com. Instead, they get firstname.lastname@example.org, which provides no credential stuffing value to them.
However you approach the problem, don’t lose sight of the first and most important tip we shared. A complex and unique password for every service is the simplest and most effective way to protect yourself against credential stuffing. The sooner you start using them, the better.