Edward Maurer
Director of Security
You may have heard the term “credential stuffing,” but If you don’t live in the world of IT or cybersecurity it likely doesn’t mean much to you. Maybe you’ve written it off as one of the many scams out there that you hope you don’t fall prey to, but don’t fully understand what it is or how to avoid it. Or maybe you’re hoping your IT or security services provider has you covered. But how can you be sure?
It might sound like a complicated scam that only a professional can prevent from happening, but it’s actually quite simple. And the best thing is there are a few simple steps you can take to avoid it happening in both your professional and personal life.
So what is it exactly?
The words “credential stuffing” may conjure up the image of an old-timey bandit stealing IDs and stuffing them in a bag. And while that might sound ridiculous, it’s actually not far from the truth.
In the cyber world, it’s a term used when an attacker obtains a list of usernames and passwords (our modern-day “credentials”) from a website or system that is breached and attempts to use those same usernames and passwords (essentially “stuffing” the credentials) into other websites. The end goal is to gain access to everything from personal bank accounts to a company’s financials and/or proprietary customer information.
Here’s a real-world example
Let’s say that your child wants to play an online game that requires a username and password. You use your personal email address and the same password that you use for every other website including your bank account. Later, you learn that the online gaming site was hacked and all of the usernames and passwords were stolen. You remedy the situation by changing your password on the gaming site, but that’s not the real problem. The attacker has already used (or “stuffed”) that username and password into multiple websites to attempt to gain access to your financial and personal information.
The same scenario applies to business. Just replace a child setting up an account on a gaming site with an employee downloading a new app using the same username and password that is used to access your company’s proprietary systems or business applications.
Here are 3 simple steps to protect yourself and your business:
Create strong, unique passwords (passphrases are even better) that are at least 12 characters long
Always use a different password for every website/system
Use a safe and secure method for storing your passwords (do not use sticky notes, notepads, word docs or spreadsheets)
If you’re thinking, “This all sounds great, but I can’t keep coming up with new, unique passwords, much less remember them. And if I can’t write them down or enter them in a doc or a sheet, where am I supposed to keep them?” you are not alone -- and we’ve got a solution, a password manager.
A good password manager provides an easy method to create, rotate and safely store passwords. Most require you to remember a single password to access a safe and secure vault, eliminating the need to remember multiple passwords. Because leveraging weak, reused and easily compromised passwords is one of the most common tactics employed by hackers to access your personal and business data, we’ve built a password manager right into our all-in-one cybersecurity solution. In addition to providing all of the features detailed above, our Password Manager is easy to use, easy to organize, performs regular audits of your credentials, and connects with our single sign on feature to provide safe, one-click access to the applications you use every day. Overall, a password manager is your best offense and defense against credential stuffing and other password breaches, with the bonus of making your life a lot easier.
If you have any questions about common threats like credential stuffing, want to learn more about password security, or would like to learn more about how AaDya can help you keep safe from threats, please reach out to us directly at inquiries@aadyasecurity.com.
