How to Prevent Credential Stuffing Attacks with Multi-Factor Authentication
December 20, 20225 min read
What if we told you that hackers sell your stolen credentials, sell them on the black market, and use them for login attempts at your bank? Let us explain.
We know how time-consuming it can be to create unique passwords for every online account we access. The temptation is to reuse the same login credentials, or username and password info, for multiple accounts. It's easier to remember that way, right?
Unfortunately, the dark web is onto us.Cybercriminalsknow that the usernames and passwords we use for shopping at our favorite retailers are also likely to be used for our credit cards, checking accounts, and more.
Password security is more crucial than ever before. We'll show you precisely what you need to do to minimize your risk of account takeovers and online attacks in the form of credential stuffing, brute force, and password spraying.
What Is A Credential Stuffing Attack?
Credential stuffing attacks occur when an attacker uses lists of usernames and passwords from previous data breaches to access online banking, social media, and email accounts.
When our data is stolen, it's often posted to the Internet or bought and sold on hacker forums. An attacker takes your username (usually your email address) and password to carry out what's known as a credential-stuffing attack.
If you use the same password for all your apps and websites, cybercriminals can log in as you! Because data leaks and breaches are so common, details about your previous usernames and passwords are easily accessible on the Internet.
What Is a Brute Force Attack?
Brute force attacks occur when cybercriminals utilize computers to randomly guess at our username and password combinations to access our personal data.
While brute force and credential stuffing attacks have the same result (our private information being stolen), they differ because credential stuffing uses real data, and brute force attacks are computerized guesses.
As you can see, if you use a weak and guessable password, it's very easy for an attacker to access your online accounts.Multiple levels of password security can protect us from these attacks.
What is a Password Spraying Attack?
In a password-spraying attack, attackers use large lists of user names or email addresses and try easy-to-guess passwords like password123, p@ssword, 12345678, and so on.
Often these password lists use the most common passwords that people choose. Automated scripts and tools unleash large-scale attacks like these, attempting thousands of accounts with common passwords from multiple IP addresses at once.
It's often just a matter of time before we're victims of cybersecurity breaches ourselves. Without adding additional layers of security, our passwords will eventually be compromised through a password-spraying attack.
Password Security and Multi-Factor Authentication
Did you know that 51% of Americans claim to reuse the same password for their online banking, email, and social media apps?Among those who have been victims of online scams and phishing attacks, 57% still haven't changed their passwords. You now know how dangerous this can be.
If you were attending a password security class today, and we were your teachers, we have some homework for you. Your assignment is to evaluate how you currently choose and store your passwords. You'll begin using a password manager and enable multi-factor authentication for your critical online accounts.
What is Multi-Factor Authentication (MFA)?
You may have heard of two-factor authentication, also known as 2FA. In a time when most of us have more online accounts and passwords than we can remember, it's easy to become lazy with password creation and storage.
Two-factor authentication provides an extra measure of security beyond a username and password.You may have experienced this when you log into a site and receive a prompt to provide additional information. This verification could be in the form of a one-time password (OTP), a pin sent to your phone or email, or something more advanced like biometric 2FA (a fingerprint, iris scan, or voice identification).
As you've probably guessed by now,multi-factor authentication takes 2FA to another level, requiring multiple authentication methods to log into online accounts and apps.
Three Main Types of MFA include:
Knowledge-based MFA - something you know (passwords, PINs, or security questions)
Possession-based MFA- something you have (OTPs sent to your mobile device or email, tokens, or badges)
Inherence-based MFA - something you are (biometric data including fingerprints, facial recognition, voice, or iris)
Some websites use a combination of these three forms of authentication for maximum account security. While adding these additional steps can feel cumbersome and time-consuming, dealing with compromised accounts and stolen identity is far worse.
How To Create Strong Passwords
Think about this for a minute. Every time you're prompted to create a new password, what do you do? Do you pick the same easy-to-remember password you've used for countless websites and apps? Do you try to think of a word pattern, phrase, or some other trick that helps you remember your passwords?
For most people, it's easy to reuse the same password for everything because we have so many passwords.In fact, studies show that the average American has an average of 100 online accounts requiring a password.That's a lot to remember!
Are your passwords unique and complex? Probably not—memorizing and storing multiple complicated passwords without a tool is virtually impossible.
The solution?Use a password manager to do all of this work automatically for you.
Several password-managing products are available to choose from. Many apps integrate directly into your web browser and mobile phone so that you can create and retrieve passwords automatically. Here are a few recommended password managers:
LastPass - There are free, premium, and family memberships for $3 - $4/month.
1Password - Offers personal, family, and business accounts ranging from $2.99 - $19.91/month.
Dashlane - Provides multiple account levels, beginning with free and ending with $8/month business accounts.
3 Steps You Can Take To Prevent Credential Stuffing
1) Enable Multi-Factor Authentication
After creating complex and unique passwords, the number one thing you can do is enable multi-factor authentication on every app, site, or online service that offers it. Most online services have this option available, but you may have to search for it in your profile or account settings.
2) Update Your Passwords
Take 10 minutes to think about the online accounts that are most critical to you (social, banking and finance, email, and so on). Change your passwords to more secure versions using your password manager, and be sure to enable multi-factor authentication while you're at it.
3) Think Twice Before Giving Out Personal Information
One of the best ways to avoid having your personal information stolen is to avoid giving it out in the first place. If a site or service requires your banking information or social security number, consider the source. Does this company take the proper steps to keep your information secure? Look for sites employing 256-bit encryption to scramble user information.
SLNT Pro Tip
We recommend exploring 2FA multi-factor authentication app. Authenticator app are designed to have all your accounts that use MFA in one place. Plus, they back up these accounts for you, so if you lose your smartphone or get a new one, everything is easily backed up and restored. Before downloading a 2FA app we always encourage you to research, review privacy policies and find which app best fits your needs.
As always, our SLNT team is here to help you protect your privacy, your security, and your health. Check out our best-selling SLNT Faraday gear to take your data protection to the next level.