Credential stuffing – the password breach aftermath
(Last updated on July 24, 2019)
RIP Passwords – the 2017 Data Breach Industry Forecast by Experian anticipates your demise. Until then, experts are predicting “aftershock” breaches.
In 2016, there were 1,093 security incidents involving loss of sensitive data, and three billion credentials stolen worldwide. The biggest contributor being Yahoo’s headline dominating confirmation of a 2014 breach, where at least 500 million user account credentials were stolen. With countless credentials in circulation, the next big threat facing organizations is “credential stuffing.”
Credential stuffing is an automated hack where stolen usernames and password combinations are thrown at the login process of various websites in an effort to break in. With up to a 2% success rate, credential stuffers account for more than 90% of all login traffic on many of the world’s largest websites, and a spew of second-hand data breaches. This imminent threat has spilled over to compliance requirements including the Draft NIST Special Publication 800-63-B Digital Identity Guidelines, which now recommends online account systems check user passwords against known credential lists.
The short-term solution is changing your password across the sites you frequent, keeping in mind that some security questions may have been compromised, and should also be changed, or better yet replaced with stronger forms of authentication. For organizations, a robust password reset solution, such as Specops uReset, can strengthen this process with multi-factor authentication. The solution supports over 20 identity services ranging from commonly used email and social identities to high trust identities like smart cards and fingerprint authenticators.
However, without the ability to check new passwords against the same lists used by attackers, security continues to fall in the hands of users. It is time to take back control. Specops Password Policy takes bad decisions away from users and disallows any passwords from a leaked list. Now you ask, why bother with passwords when they are on the way out? Because even with their inherent weakness, and susceptibility to attacks, passwords remain the most common form of authentication. And you need to worry about them for as long as they’re still around – but hopefully not for long.
Credential stuffing attacks serve as another reminder to move away from passwords. As two-factor authentication during user verification grows in popularity, a world without password becomes more possible. In the meantime, enable multi-factor authentication wherever possible and stay in the know with our latest webinar!