There have never been so many different cyber attack methods – and criminals may never have been so successful either. Credential stuffing is one of the newest methods used by savvy crooks, but if you’re on top of things you can avoid becoming a victim.
Credential stuffing has become popular as more password databases have been hacked. As billions of usernames and passwords become available on the dark web, criminals are taking these credentials and trying them on different websites – because too many people are reusing names and passwords across multiple accounts.
If you or your friends and family reuse logins and passwords – and let’s be honest, we all have – then you’re at a higher risk of falling victim to a credential attack.
Read on if you want to find out the details behind ID filling – and find out how to avoid becoming a victim. Don’t sweat it if you need more computer help either, because we’ve got you covered with our guides to best photo recovery apps and a deep dive into the differences between Microsoft 365’s business products.
What is identification filling?
There are many methods hackers and criminals use to try to gain access to your vital accounts, and many rely on lists of usernames and passwords routinely stolen from companies and leaked onto the mainstream and dark web.
These huge lists of usernames and passwords are the key to credential stuffing. It works because a hacker will take this information and use bots and other automation techniques to try every username and password combination across different websites, services and social networks.
These bots will often attempt to use different sets of credentials on multiple sites at the same time to speed up the process, and are trained to retrieve sensitive personal information automatically if one of the login attempts works.
It can often be extremely productive, because a hacker already has a list of passwords that have been proven to work at some point—and because too many people never change passwords and reuse passwords across multiple services.
So if a hacker is particularly lucky, they will find a username and password combination that still works across many different websites. And if you’re the unfortunate person who’s fallen foul of this approach, it could mean they have access to your email accounts, social media pages, bank details and more.
It’s a popular approach because credential hacks and leaks have rarely been more popular, with tens of billions of different usernames available online — and because the entire process can be automated.
It’s a faster and more efficient process than a traditional brute force attack, which can take a long time because a hacker’s equipment needs to run through every possible combination of letters, numbers and symbols. Because credential stuffing attacks use tried-and-tested passwords, they’re often more successful than a dictionary attack as well—just because that method uses common words doesn’t mean it’s going to work.
The combination of massive password leaks, sophisticated bot farms and people’s lax password security means that credential stuffing is here to stay – unfortunately.
How to avoid credential stuffing attacks
It’s almost inevitable that your usernames and passwords will find their way onto the dark web at some point, but there are sensible steps that anyone can take to avoid being guilty of credential attacks and other types of hacking attempts.
Your first step should be to make sure you have strong passwords for all your accounts. You should use unique passwords for each service to ensure that a hacker cannot use the same details to access different websites.
In addition to creating unique passwords for each service, you should develop longer passwords that use a combination of uppercase and lowercase letters, numbers, and special characters. Avoid words, common phrases, proper names and sequential numbers as well, and you’ll have a robust password.
It’s a lot to remember, so we also recommend using a password manager. Implement one of these tools and you won’t have to remember every username and password combination – it will do it for you and secure your data behind strong encryption. Don’t worry if you’re not sure where to start, either—we’ve already rounded it up best password managers.
A top-notch password manager will also generate secure passwords. The best password managers and security tools also include dark web monitoring that will notify you if your credentials have been exposed in a breach. While undoubtedly annoying, alerts mean you’ll be able to change your passwords before hackers can exploit the leak.
You may not be able to avoid leaks and hacks forever, but there are steps you can take to ensure your safety if the worst happens. If websites, apps and services support it, implement multi-factor authentication. This security feature requires you to provide additional proof of your identity if you try to sign in – sometimes it’s your fingerprint or facial recognition, other times it comes from external apps and other services sending a unique code to your phone.
It’s an important addition to your security arsenal. If you have multi-factor authentication turned on, a hacker won’t be able to get into your account even if they’ve used credential stuffing to find the correct password—because they don’t want that other piece of information or identification that gives access.
We’d also recommend checking the settings on your apps and accounts, because you can often specify that an app requires a password change if you get it wrong a few times in a row. It’s a great way to stop bots from trying to guess your password repeatedly.
In addition to these valuable security tips, we also recommend that you change your password every three to six months. Because while leaks and hacking attempts are inevitable, a login bot won’t get very far if they use a password that you’ve already changed. Many password managers will generate new passwords for you and provide reminders to change them, and many tools will also alert users if they have weak passwords in their database.
Credential stuffing is a vicious and sophisticated hacking method, and it’s not likely to go away anytime soon – like brute force and dictionary attacks, they work too often for cybercriminals to leave them behind. But if you’re aware of the dangers and follow these tips, you’ll keep your data safe and stop any hacks before they start.
We have listed the best internet security suites.
