Almost every day we see headlines about some sort of data breach. The public is now almost numb to this news and the reaction by the end users whose credentials were lost, is typically to reset their password and move on.
This is likely not good enough for most people, because, according to a January 2019 study by Yubico and Ponemon, 51 percent of the respondents reuse their passwords across multiple accounts.
So why is it bad to reuse passwords across multiple accounts? Because bad guys will take that long list of usernames and passwords from data breaches, and use them in an attack called credential stuffing. I know, this sounds like a bad Thanksgiving side dish full of conference badges. Trust me, it’s worse!
Credential stuffing is when an attacker takes a long list of usernames and passwords and, using an automated script, tries each pair on many popular websites. Those sites could be business or email related, like Google, Apple, and Microsoft. They could be social media accounts like Facebook, LinkedIn, and Instagram, shopping accounts like Amazon, or any other popular sites, like banks and payment tools like Venmo.
Once the script is successful at logging into a site, that username and password pair is saved for later review and use by the attacker against other sites. So let’s walk through an example. Let’s assume that Bob reuses passwords across many of his accounts. He has a password for work accounts and a separate one for social media accounts. After the LinkedIn breach a few years ago, Bob’s username and password were made public when miscreants posted the list of breached account credentials to the Internet.
A threat actor, named Mary, decided to take that list and run it through her credential stuffing script. Once the script completed its test, Mary found out that Bob had reset his LinkedIn password, as instructed, but was still using the same password for Facebook and Twitter. Since Bob isn’t using multi-factor authentication on those sites, Mary was able to successfully log into, and take over, or even just watch, Bob’s social media accounts.
This is a common attack method and underscores the need for everyone to follow good cybersecurity practices. Below are three ways not be be in Bob’s position.
Use a unique password for every account. You likely need a password manager to achieve this.
Use “good” passwords for each account. This can also be achieved with a password manager.
Use multi-factor authentication anywhere and everywhere you can.
If you follow these three tips, you will no longer be an easy target of credential stuffing attacks.