Credential Stuffing: The Path of Least Resistance for Hackers

With all the high-profile hacking and ransomware incidents in the news lately, from Baltimore City’s ransomware woes to Atlanta losing eight years’ worth of body-camera video, you’re probably wondering what steps you can take to insulate your company and yourself. The answer begins with understanding how many hackers operate.

You might picture a hacker hunched over a computer that’s generating thousands of possible password combinations, but it’s often far more simple and comes down to what’s known as credential stuffing.

The most basic explanation of credential stuffing is this: a malicious party obtains a username and password (often from the dark web) and tries them out on a variety of sites. It’s pretty low-tech, and very effective – witness the Yahoo breach that impacted 500 million users. That was a result of credential stuffing.

Credential stuffing relies on the carelessness most of us display in using the same password on multiple sites so we don’t have to remember a whole bunch of different ones. Therefore, the first and best bit of advice is: don’t do that. Using the same password across multiple websites is always a bad idea.

If a given website – and especially a banking or financial site – offers two-factor authentication, take advantage of it. Yes, it’s a pain to have to enter the code from a text message every time you log in, but it’s also a big deterrent to miscreants trying to get to your money.

Advice for employers: first, have a strong password policy in place. A good policy requires complex passwords and also mandates changing them on a regular basis (and prohibits writing passwords on a sticky note attached to the user’s monitor, for heaven’s sake). You might want to require a combination of upper case, lower case, numbers and special characters. Long passphrases of unrelated words (think crunchyumbrellacheeseshining) have been shown to be effective as well. Discuss the best option with your IT vendor.

Second, employee training is essential. A recent study showed that 1 out of every 4 untrained employees clicked on a link that would launch ransomware, and the average cost of such an attack is $10,000. An untrained staff ensures that it’s only a matter of time before an incident that could bring your company to its knees.

Finally, it goes without saying that if you’re connected to the internet – and everyone is – you should carry Cyber Risk insurance.

Questions about cyber risk for your organization? Contact Consolidated Insurance.