Almost every day we see headlines about some sort of data breach. The public is not almost numb to this news and the reaction by the end users whose credentials were lost, is typically to reset their password and move on.
This is likely not enough for most people, because, according to a January 2019 study by Yubico and Ponemon, 51 percent of the respondents reuse their passwords across multiple accounts.
So why is it bad to reuse passwords across multiple accounts? Because bad guys will take that long list of usernames and passwords from data breaches, and use them in an attack called credential stuffing. I know, this sounds like a bad Thanksgiving side dish full of conference badges. Trust me, it’s worse!
Credential stuffing is when the attacker takes that long list of usernames and passwords and, using an automated script, tries each pair on many popular websites. Those sites could be business or email related, like Google, Apple, and Microsoft. They could be social media accounts like Facebook, LinkedIn, and Instagram, shopping accounts like Amazon, or any other popular sites, like banks and payment tools like Venmo.
Once the script is successful at logging into a site, it is saved for later review by the attacker. So let’s walk through an example. Let’s assume that Bob reuses passwords across many of his accounts. He has a password for work accounts and a separate one for social media accounts. After the LinkedIn breach a few years ago, Bob’s username and password were made public when miscreants posted the list of breached account credentials to the Internet.
A threat actor, named Mary, decided to take that list and run it through her credential stuffing script. Once the script completed it’s test, Mary found out that Bob had reset his LinkedIn password, as instructed, but was still using the same password for Facebook and Twitter. Since Bob isn’t using multi-factor authentication on those sites, Mary was able to successfully log into, and take over, or even just watch, Bob’s social media accounts.
This is a common attack method and underscores the need for everyone to follow good cybersecurity practices. Below are three ways not be be in Bob’s position.
User a unique password for every account. You likely need a password manager to achieve this.
Use “good” passwords for each account. This can also be achieved with a password manager.
Use multi-factor authentication anywhere and everywhere you can.
If you follow these three tips, you are no longer an easy target and the security of your online accounts.