Authentication , Endpoint Security , Multi-factor & Risk-based Authentication

Credential Stuffing Attacks: How to Combat Reused Passwords

Troy Hunt Describes Efforts to Build and Store Better Passwords
Troy Hunt, founder, Have I Been Pwned?

For attackers, "credential stuffing" is the gift that keeps on giving, says information security researcher Troy Hunt, founder of the free Have I Been Pwned? breach-notification service (see Breach Alert Service: UK, Australian Governments Plug In).

See Also: Solving Third-Party Cybersecurity Risk - A Data-Driven Approach

Credential stuffing refers to attackers taking usernames and passwords stolen or leaked from one site to log into any other site for which an individual reused their credentials.

"This is the underlying problem: People have said: 'Hey, I have a favorite password, it's my cat's name and this is the year that it was born; this is fantastic and I'm going to use it everywhere,'" Hunt says.

But when website A gets breached, if the credentials have been reused elsewhere - say on websites B through Z - then attackers may have a field day compromising that user's accounts on other sites.

"This is where I'm a little bit sympathetic," Hunt says. "This website B didn't necessarily do anything wrong, but now they've got to deal with the risk of ... an attacker logging in with a victim's credentials, and that's a really hard problem."

In a video interview at the recent Infosecurity Europe conference in London, Hunt discusses:

  • The rise in credential stuffing attacks;
  • The practice of reviewing data dumps to proactively lock accounts for users whose data has been breached;
  • The Pwned Passwords service and how organizations are using it to help improve password security.

Hunt is a Microsoft Regional Director and MVP, Pluralsight author and internet security specialist. He's the creator of "Have I Been Pwned", the free online service for breach monitoring and notifications. He has testified before the U.S. Congress on the impact data breaches are having on society.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.