If different types of cyber-attacks were a group of friends, credential stuffing would be the odd one out. This isn’t a data breach in the technical sense, as the system under attack isn’t directly compromised. Kind of like the difference between kicking a door in and finding the spare key under a potted plant.
Credential stuffing is a method of using sets of usernames and passwords stolen in previous data breaches to access un-breached sites. An automated process stuffs the site with credentials to see which of them work. Because a significant amount of people uses the same password for different sites, this method is effective.
Prevention of credential stuffing can seem hopeless, but there are several ways in which you can protect your data. Keep reading to learn about the best ways to upgrade your credential stuffing defence.
Password reuse is a no-no
Even the most secure systems can be let down by password reuse. If the password to your current business accounts is the same one you used for your first e-mail address, it’s time for a change. That goes for your employees and users as well.
We know that remembering a lot of different passwords is difficult. But there are handy resources available online to make this task easier for you. This brings us on to the next step.
Find a safe space for your passwords
A password manager functions as your own safe space online. It lets you write down your passwords, put them in a figurative box and lock them away until you need them. There are many password managers available, perfect to use at home and for business accounts. The only password you need to remember is the one for your password manager.
So, go ahead and create long, complex passwords for all your accounts. If you want, you can also share passwords used by multiple people (for example in units and teams) in a safe environment.
Keep one thing in mind though. If someone were to hack your password manager, they would get access to all your passwords. So, make extra sure that you don’t use an old and weak password for this master account. Also, take a little time to check out what people are saying about different password managers online. There are good and not so good ones out there.
It takes two factors to tango
Two-factor authentication is a marvellous way to keep your account from falling into the wrong hands. First, you enter your password. Then, you must complete the second step to log in to your account. A common form of this second step is getting a one-time code sent to your phone in a text. This code is then entered as a “second password” and you go on with your day. It only adds seconds to the time it takes you to log in.
This defence makes it extremely difficult for hackers to access your account using credential stuffing. Even if they know your password they still don’t have your phone. The only problem is, not every online service provides the option of two-factor authentication.
Don’t waste time – take action where you can
With improvements in cybersecurity, there’s always a price tag. But, be sure to weigh the cost of implementing credential stuffing defence against the cost of a data breach.
Building prevention of credential stuffing for your business can require a bit of work on behalf of your IT department. But done right it is well worth your while. For example, you can enable two-factor authentication on assets that your company controls such as the intranet. This will not only prompt but force yourself and employees to be safer online. The same could be done for your user accounts, to keep your customers safe and happy.
Also, talking to your employees about cybersecurity and how they can improve their password habits can really make a difference. Put a policy in place stating how to share passwords and give advice on how to come up with good ones. Credential stuffing defence will be at the forefront of your employees’ minds and they will know it’s a priority for management.
Create super strength passwords!
No matter how good a password is, once it has been breached it’s useless. We created the ever-evolving database that we call EyeOnPass to help stop the reuse of breached passwords. Our service can either notify you when a new user tries to sign up for a password that has been breached from another site or enforce a mandatory password change. You also have the option of blocking customers from using breached passwords (with a friendly message telling them why) or asking users to change their password voluntarily.
As you can see, credential stuffing prevention is far from a lost cause. We wish you good luck in your efforts. But with our tips and the EyeOnPass service, you won’t need it!