Credential Stuffing Attacks: How to Combat Reused PasswordsTroy Hunt Describes Efforts to Build and Store Better Passwords
For attackers, "credential stuffing" is the gift that keeps on giving, says information security researcher Troy Hunt, founder of the free Have I Been Pwned? breach-notification service (see Breach Alert Service: UK, Australian Governments Plug In).
Credential stuffing refers to attackers taking usernames and passwords stolen or leaked from one site to log into any other site for which an individual reused their credentials.
"This is the underlying problem: People have said: 'Hey, I have a favorite password, it's my cat's name and this is the year that it was born; this is fantastic and I'm going to use it everywhere,'" Hunt says.
But when website A gets breached, if the credentials have been reused elsewhere - say on websites B through Z - then attackers may have a field day compromising that user's accounts on other sites.
"This is where I'm a little bit sympathetic," Hunt says. "This website B didn't necessarily do anything wrong, but now they've got to deal with the risk of ... an attacker logging in with a victim's credentials, and that's a really hard problem."
In a video interview at the recent Infosecurity Europe conference in London, Hunt discusses:
- The rise in credential stuffing attacks;
- The practice of reviewing data dumps to proactively lock accounts for users whose data has been breached;
- The Pwned Passwords service and how organizations are using it to help improve password security.
Hunt is a Microsoft Regional Director and MVP, Pluralsight author and internet security specialist. He's the creator of "Have I Been Pwned", the free online service for breach monitoring and notifications. He has testified before the U.S. Congress on the impact data breaches are having on society.