This website uses cookies to ensure you get the best experience on our website. Learn more
Credential stuffing – the password breach aftermath
RIP Passwords – the 2017 Data Breach Industry Forecast by Experian anticipates your demise. Until then, experts are predicting “aftershock” breaches.
In 2016, there were 1,093 security incidents involving loss of sensitive data, and three billion credentials stolen worldwide. The biggest contributor being Yahoo’s headline dominating confirmation of a 2014 breach, where at least 500 million user account credentials were stolen. With countless credentials in circulation, the next big threat facing organizations is “credential stuffing.”
Credential stuffing is an automated hack where stolen usernames and password combinations are thrown at the login process of various websites in an effort to break in. With up to a 2% success rate, credential stuffers account for more than 90% of all login traffic on many of the world’s largest websites, and a spew of second-hand data breaches. This imminent threat has spilled over to compliance requirements including the Draft NIST Special Publication 800-63-B Digital Identity Guidelines, which now recommends online account systems check user passwords against known credential lists.
The short-term solution is changing your password across the sites you frequent, keeping in mind that some security questions may have been compromised, and should also be changed, or better yet replaced with stronger forms of authentication. For organizations, a robust password reset solution, such as Specops Password Reset, can strengthen this process with multi-factor authentication. The solution supports over 20 identity services ranging from commonly used email and social identities to high trust identities like smart cards and fingerprint authenticators.
However, without the ability to check new passwords against the same lists used by attackers, security continues to fall in the hands of users. It is time to take back control. Specops Password Policy takes bad decisions away from users and disallows any passwords from a leaked list. Now you ask, why bother with passwords when they are on the way out? Because even with their inherent weakness, and susceptibility to attacks, passwords remain the most common form of authentication. And you need to worry about them for as long as they’re still around – but hopefully not for long.
Credential stuffing attacks serve as another reminder to move away from passwords. As two-factor authentication during user verification grows in popularity, a world without password becomes more possible. In the meantime, enable multi-factor authentication wherever possible and stay in the know with our latest webinar!
(Last updated on December 11, 2024)
Related Articles
-
Password Strength Meters – more harm than good?
Fact one, passwords are here to stay, at least for the near future. Fact two, users have not gotten any better at making them stronger, or using additional factors during authentication. To help users with this seemingly impossible task, many web services offer a password strength meter during the account signup process. With its uncanny…
Read More -
Security questions – a flawed model
It is ingrained in our mind that we should create secure passwords. Most times we attempt to create strong passwords that guard our information against hacker attacks but there’s a security hole we often overlook – security questions. For a long time, security questions have been a way to verify user identities when they forget…
Read More -
Secure privileged accounts and keep business secrets where they belong
What did the breaches at Target, JPMorgan Chase, and Anthem have in common? They stemmed from a violation of privileged access. Those with privileged access own the proverbial keys to the kingdom – elevated permissions, and access to sensitive information. When these accounts are compromised, hackers can wreak havoc – from exposing personal data and…
Read More