What Credential Stuffing is and how to protect yourself

A total of 500 million Zoom accounts are sold on the dark web thanks to "fill in credentials".

It is a common way for criminals to access online accounts. Here is what this term means and how you can protect yourself.

It starts with databases and password leakage

Attacks against online services are common. Criminals often exploit loopholes systems to obtain databases of usernames and passwords. Databases of stolen login credentials are often sold online on the dark web, with criminals paying in Bitcoin for the privilege of accessing the database.

Let's say you had an Avast forum account, which was hacked in 2014. This o was hacked and criminals may have your Avast forum username and password. Avast contacted you to change your password on their forum, so what's the problem?

Unfortunately, this can be bypassed-but not unless you're a techie who knows what he's doing. Suppose the login details for the Avast forum were "you@example.com" and "gamatoPassword". If you are logged in to other sites with the same username (your email address) and password, any criminal who obtains leaked passwords can access these other accounts.

Monitoring credentials in action

"Credential stuffing" involves the use of these databases by leaking connection information and attempting to connect to other Internet services.

Criminals obtain large databases of username and password combinations that have been leaked - often millions of login credentials - and try to link to other sites. Some people reuse the same password on multiple sites, so something will fit. This can generally be automated with software, quickly testing many connection combinations.

In other words, "hackers" fill in all these login credentials on the login form and see what happens. Some of them are sure to work.

This is one of the most common ways for hackers to hack online accounts these days. In 2018 alone, the Akamai content network recorded approximately 30 billion attacks with credentials.

How to protect yourself

Protecting yourself from completing credentials is very simple and you should follow the same password security practices that have been recommended by security experts for years. There is no magic solution - just good passwords:

  • Avoid reusing passwords: Use a unique password for each account you use online. This way, even if your password is leaked, it cannot be used to link to other sites. Intruders may try to fill out your credentials on other login forms, but they will not work.
  • Using a Password Manager: Storing strong unique passwords is almost impossible if you have accounts on several sites and almost everyone does. We recommend that you use a password manager like KeePass who will "remember" the passwords for you.
  • Enable two-factor authentication: With two-step authentication, you need to provide something else - such as a password generated by an app or sent to you via SMS - each time you link to a website. Even if an attacker has your username and password, he or she will not be able to log in to your account without this password.
  • Receive notifications in the event of a data leak: With a service like Have I Have Pwned? you may be notified when your credentials appear in a leak.

How services can protect against credentials

There are many ways to protect online services from attacks with credentials.

  • Scan Database Leaks for User Codes: Facebook and Netflix scan leaked databases for passwords that exist on their own services. If there is a match, Facebook or Netflix may ask the user to change their password.
  • Two-factor authentication offer: The they should be able to choose two-factor authentication to secure their online accounts. Particularly sensitive services can make this function mandatory.
  • CAPTCHA requirement: If a login attempt seems strange, a service may require you to enter a CAPTCHA code that appears in an image or by clicking on another form to verify that a person - not a bot - is trying to log in.
  • Limit repetitive connection attempts: Services should try to exclude bots from attempting a large number of login attempts in the short term. Modern sophisticated bots may try to connect to multiple IP addresses at once to disguise their efforts.

Bad password practices - and, to be fair, insecure internet systems are very easy to break. So it is no wonder that many companies in the technology industry want to develop more secure systems without passwords.

 

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.086 registrants.

Credential stuffing

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).