What is Credential Stuffing?
Credential stuffing is when a cybercriminal uses an automated script to try each credential they have against a targeted website or application. The reason this often works is a larger majority of users will use the same password for multiple accounts. Cybercriminals often will horde large amounts of usernames and passwords, then go to a password page, and have their script try every single one.
Typically, these username and passwords come from some type of the previous breach. With all of the credential dumps happening on the Dark Web, credential stuffing has become a major online threat. Hackers can use your credentials for just about everything, including spam, phishing, and even full account takeovers.
This hacking technique is on the rise and has gained in popularity with cybercriminals because it’s both simple, cost-effective, and relies on a company’s weakest security links: their employees.
What Can You Do To Protect Your Company and Data?
There are several steps you can take to protect your company from one of these types of attacks.
Use a Password Manager
In the US, the average email address is associated with 130 accounts. You have accounts that require login and passwords for just about everything in your life. One of the best ways to help yourself avoid password reuse is to use a password manager. A password manager will store all of your passwords safely so that you don’t have to remember each and every one of them. A password manager can also help you generate secure random passwords.
Set Only Strong and Unique Passwords for All of Your Accounts
While you may have heard time and time again to be sure and create a strong password, it’s important to also make sure that each account has a unique password, different from every other account. Strong passwords will:
- Have a minimum of 12 characters. However, the longer, the better. A password with 20 or 30 characters is great.
- Include numbers, letters, symbols, capital letters, and lower case letters in every single password. And mix it up. Don’t ALWAYS use ‘@’ in place of ‘a’ or ‘!’ in place of ‘i.’ Switch them around to make it harder to crack.
- Don’t use dictionary words or a combination of dictionary words like ‘password’ or ‘my password.’
- Don’t rely on obvious substitutions, either. For example, ‘p@ssword,’ isn’t a strong password, simply because you substituted the ‘a’ for ‘@.’
- Never, ever reuse the same password twice.
Don’t Store Your Passwords in Your Browser
While browsers make it easy on us and try to simplify our lives by offering to remember every password you use online, it’s important to remember that browsers sometimes get hacked, too. So, even though it may feel convenient, it still poses some security risks. Some of this risk may depend on which browser you’re using if it’s synced with other devices and if you are using extra browser security features.
One of the biggest issues you have when saving passwords to your browser is that other people may see it. Users who have access to our computer logs can see your actual password or even credit card details if you saved them. If your laptop, tablet, or smartphone is lost or stolen, the same threat applies.
There are also viruses and malware out there which target your saved information in browsers looking to steal your passwords and credit card information.
Enable Multi-Factor Authentication Wherever You Can
Two-Factor or Multi-Factor Authentication will make it more difficult for a cybercriminal to breach one of your accounts. This will add another layer of security to your authentication process, since knowing your password won’t alone be enough to pass an authentication check.
Treat Security Questions the Same as Passwords
Do you need to know your mother’s maiden name to help remember a password? Sure, that may be a helpful clue, but most people can find out your mother’s maiden name with a simple Google search. What about your high school mascot? No problem, we can look up which high school you went to on social media and then find out their mascot from their website. Your pet’s name? The color of your car? Believe it or not, much of that information can be found on the information superhighway.
Because it has become easy to find out the typical information you would use for answers to security questions, you should be treating them the same way as you do passwords. That means, make up fake answers and then store them in your password manager.
You also have to remember that security questions and answers are specifically made for talking to humans, not computers. So, you don’t have to add symbols or numbers. Instead, make your answers both wrong and uncommon. Your high school mascot? How about a chupacabra or a dung-beetle? Your mother’s maiden name? Why not Supercalifragilisticexpialidocious or Barnabymarmaduke? Get creative with it.
Limit Authentication Requests on all of Your Internal Programs
When hackers are using bots to launch a credential stuffing attack against you, they will input hundreds or even thousands of credentials in quick succession. You can limit the cybercriminals’ ability to do this by having either your internal IT team or IT partner set up a cap on the number of login attempts that can happen from an IP address within a given period.
If an actor three or five times in a row to access an account and gets the password wrong each time, the account then becomes locked, so in order for the user to access it again, they will have to reset their password and the administrator will have to unlock it. If an actor(s) from a single IP address attempts a limited number of times (5) to use invalid user ID’s then the IP address can be blocked.
Flag Unrecognized Devices
A credential stuffing attack will likely come from an unrecognized device. Your company should be using approval-based access, which only lets previously approved devices on to your network. That way if a new and unfamiliar device tries to connect, an alert allows your IT team or administrator to take appropriate steps to either verify or continue blocking a user.
Teach All of Your Employees Cybersecurity Best Practices
Not all of your cybersecurity has to do with applications and passwords. The biggest threats to your systems are your own staff not following best practices, company policies, or IT usage rules. The best way to help minimize employee security risk is through education. You should teach your employees how to spot phishing attempts, educate them about credential stuffing, shadow IT, and proper password usage.
You should hold regular training sessions, once a month or once a quarter, to update your team on the latest hacking schemes, cybersecurity threats, and how to avoid them. All of this can be coordinated with your IT team.
As long as you follow best practices and take the steps highlighted above, you will be much safer when it comes to credential stuffing attacks. For help with managed security IT security solutions, contact Custom Information Services today!