Passwords and Credential Stuffing

by Jonathan Ashton.

Recently the UK National Cyber Security Centre published an analysis of passwords available online from existing breaches at various organisations (including LinkedIn).

Worldwide, weak passwords like “123456”, “qwerty”, “password” (along with football team names like “liverpool” and “chelsea”) are being used to secure millions of user accounts on social media, shopping sites and even banks (  These passwords provide little protection both due to their reduced number of characters (no variation in upper/lowercase or special characters).  This means they can be cracked relatively quickly even by complete novices using freely available automated tools.  In addition to this, such passwords have been made widely available in common password lists for use in random attacks on services, this is known as ‘credential stuffing ‘.


Credential Stuffing

This is a simple attack using:

  • an email address that is already part of a breach (e.g. the LinkedIn breach of 2016 which involved 117 million email addresses and passwords being made available online)
  • a list of common passwords (referred to as a dictionary)
  • repeatedly trying the email address and dictionary password combinations against online services (e.g. Amazon, Gmail, Facebook, Spotify, Halifax, AirBNB, etc)

As hackers are dealing with millions of email addresses, combined with the fact that millions of people are using insecure passwords, it’s not surprising that a significant number of accounts are breached and then used for further fraudulent activity.


Check your Email Addresses and Password Security

You can check if your email address (and/or other details) have been involved in breaches and subsequently made available online by using sites such as  Once an email address is in the public domain like this, it will be used in credential stuffing attacks.

You can check to see if your password has been used in a previous breach and therefore if it is likely to be available for hackers at

Another online resource, available at, shows you how strong your password is.


Password Advice

The password advice is still:

  • Don’t re-use passwords between services
  • Passwords should be a mix of upper and lower case along with numbers and one or more special characters (like !#@*^, etc)
  • Passwords should be a minimum of 12 characters

Four Steps to Staying Secure (YPUB)

by Jonathan Ashton.

IT security is a fast moving and complex area which can have a significant impact on your online safety and security. Practicing some fundamental principles can help reduce the chances of being targeted or succumbing to an attack.

Your goal is to make yourself much less attractive to hackers usually by significantly increasing the time needed for them to gain a foothold – “time is money” is as true for hackers as anyone else who’s self-employed.



Hackers have realised that one of the easiest way to bypass IT security is to manipulate you. They will do this either to:

  • gain access to systems (“Hi there I’m from Microsoft, we’ve noticed a problem with your system and would like to help, can you just …”)
  • get you to divulge your information like username and passwords (“Your Amazon package could not be delivered, click on the link and sign in to review further delivery options”)
  • trick you into installing malicious software (“Demand for overdue payment! Please find attached an invoice for immediate payment”)

In some cases it takes just minutes to take control of a machine or device once the initial comprise has happened via deceptive attachments or clicking a link to a malicious site.

Hackers will attempt to make you feel as if you’re obligated to do something, either to receive a benefit or avoid a penalty. Take time to review any communication (email, sms, phone call or instant messaging) that has any of the following features:

  • unsolicited
  • imparted urgency
  • carries an explicit or implied benefit/threat
  • expects you to take an action (click on a link, divulge information)

Common sense will help you weed out the attacks relying on you to succeed.



Passwords need to be complex, long and unique (CLU).

Simple, eight character passwords in general can be cracked within minutes by determined hackers. Mixing in upper and lower case, numbers as well as symbols make your password harder to crack.

Increasing the password length can also have a big effect on the time taken – aim for at least 12 characters but more will significantly increase the time taken.

Don’t use the same password across multiple sites/services as hackers will scan hundreds of sites with hacked username/email address/password combinations to see what else can be compromised.


Hackers and companies are engaged in an arms race to uncover/secure vulnerabilities in products released to the public. Out of date software is a boon to hackers who make use of tools to automatically check for a wide variety of exploits and flaws and report on the ones that offer the best chances to take control.

Anything that can be connected to the internet needs to be kept up to date and doing so reduces the opportunities for attackers and making it much harder for them to hack you. Ensure automated updates are turned on for all your devices and operating systems.

Where possible install Anti-Virus/Internet Security software from a reputable company and ensure it is kept up to date. Companies like Kaspersky, AVG, F-Secure, Sophos, McAfee, etc spend significant amounts of money identifying, researching and defending against new and emerging threats and make it significantly harder for hackers to get a foothold.



Even with these precautions you may still be hacked. The arms race between hackers and companies often means that hackers notice and exploit a vulnerability first as they’ve the most to gain from it.  Where a compromise has occurred you may lose access to your personal files, photos, music or other information.

Often wiping the device/computer and re-installing is the only effective way to be certain the problem has been dealt with. In these cases (where your files have been locked away by an attacker or a wipe and re-install is required) the only way to get your files back is from a backup.

Make sure you do regular backups of important information and just as importantly, make sure you can restore them. This can be as simple as copying the files to a usb stick or backup hard-drive.