Credential Stuffing

Passwords and Credential Stuffing

by Jonathan Ashton.

Recently the UK National Cyber Security Centre published an analysis of passwords available online from existing breaches at various organisations (including LinkedIn).

Worldwide, weak passwords like “123456”, “qwerty”, “password” (along with football team names like “liverpool” and “chelsea”) are being used to secure millions of user accounts on social media, shopping sites and even banks (https://www.bbc.co.uk/news/technology-47974583).  These passwords provide little protection both due to their reduced number of characters (no variation in upper/lowercase or special characters).  This means they can be cracked relatively quickly even by complete novices using freely available automated tools.  In addition to this, such passwords have been made widely available in common password lists for use in random attacks on services, this is known as ‘credential stuffing ‘.

 

Credential Stuffing

This is a simple attack using:

  • an email address that is already part of a breach (e.g. the LinkedIn breach of 2016 which involved 117 million email addresses and passwords being made available online)
  • a list of common passwords (referred to as a dictionary)
  • repeatedly trying the email address and dictionary password combinations against online services (e.g. Amazon, Gmail, Facebook, Spotify, Halifax, AirBNB, etc)

As hackers are dealing with millions of email addresses, combined with the fact that millions of people are using insecure passwords, it’s not surprising that a significant number of accounts are breached and then used for further fraudulent activity.

 

Check your Email Addresses and Password Security

You can check if your email address (and/or other details) have been involved in breaches and subsequently made available online by using sites such as https://haveibeenpwned.com/.  Once an email address is in the public domain like this, it will be used in credential stuffing attacks.

You can check to see if your password has been used in a previous breach and therefore if it is likely to be available for hackers at https://haveibeenpwned.com/Passwords.

Another online resource, available at https://password.kaspersky.com/, shows you how strong your password is.

 

Password Advice

The password advice is still:

  • Don’t re-use passwords between services
  • Passwords should be a mix of upper and lower case along with numbers and one or more special characters (like !#@*^, etc)
  • Passwords should be a minimum of 12 characters