The recent compromise of the Seesaw Learning website and app has a lot of people asking me: What is credential stuffing? It’s a good question to know the answer to. Once you get it, you will also know how to keep your online accounts safer.
How Credential Stuffing Works
It begins with cybercriminals attacking and hacking an online website or company. When they gain access, they steal the login info for as many accounts as they can, for that site. They’re looking for a list of email addresses, and the corresponding passwords that are used on that site.
While this starts with the hack of one company, the stuffing happens elsewhere. These thieves are counting on one common tech mistake: People tend to use the same password for all of their online accounts. So if they steal login info from one site, the crooks are hoping those credentials will work on other websites.
These cybercriminals actually have a bit of programming skill. They take their stolen credentials and write a program (bot) to try each email/password combination at the login screen of another website. If they’ve stolen 500 logins or a million, it doesn’t matter. They can set their bots to stuff all of those logins into various other websites, until they get lucky access with someone’s stolen credentials.
What You Need To Do
You cannot predict or prevent this kind of attack, because it is launched against the companies you use. You are not the initial target. But you can protect your other accounts from collateral damage. It’s very simple: Always use a different password with each account you create.
OK, maybe it’s not that simple to do, but it is simple to state. No one likes this advice, because passwords are such a tedious burden to most internet users. But if you can improve your habits and avoid password re-use, then credential stuffing attacks will not affect you as much as other people. If your password is stolen from one website, it will not do the crooks any good when they try to use it elsewhere!
Additionally, turning on 2FA can further protect your accounts against password theft. But not all sites offer 2FA. Using unique passwords remains the best defense.
Coping with Too Many Passwords
Maintaining unique passwords is about as fun as remembering to floss. But it could make a big difference someday. There’s always another big hack about to happen, and you’re going to wake up one morning to find that your bank or your favorite store is involved in the latest tech debacle. That awful cybercrime news won’t affect you as much, if you have good security practices in place.
As you set passwords to online accounts, your browser may recommend unique passwords, and offer to Save them for you. This is a solid tool and fairly reliable. And if you need to know a particular password, you can find it by going into your browser’s options menu and searching for the Passwords List. This is how I manage my 700+ passwords, in Google Chrome and Microsoft Edge.
You might also consider using a Password Manager program, and there are many of them out there. Some are free, some have an annual fee. LastPass, Roboform, Keepass and Bitwarden are some trustworthy password managers.
Using an Excel spreadsheet or a “little black book” is also acceptable. I see plenty of folks using these methods, and I don’t criticize it if it is working well for them.