It seems as if there is a new data breach or leak announced on the news every single day. Even if you have used one of the applications that has been hacked, you probably think there is little risk to you since you didn’t enter any sensitive information while using it. Unfortunately, you could not be more wrong. Even if your interaction with a website or application didn’t involve you entering any personal information, it still puts you at risk. Just the fact that your username and password were exposed could allow hackers to get into any other application you’ve used as well, including your banking and other places with your sensitive information. Hackers can do this through a process called credential stuffing.
What is Credential Stuffing?
Once the hackers have your username and password from one site, they will try to use those credentials to access others. Now, there are thousands upon thousands of possible sites, but they target the biggest and most sensitive ones. The problem is that many people use the same or similar passwords for everything they access. That means if your password was compromised and you’ve used it on other platforms, then they could gain access.
Hackers don’t even have to manually enter all of those passwords when they are trying different portals. They use special web tools that automatically comb the web for portals and attempt thousands upon thousands of sets of credentials at the same time. It is like having the combination to a safe, but having to search for the right one. They can just do it very quickly.
Plus, once your information is compromised in such a breach, it often ends up getting sold amongst nefarious people on the dark web. This means that you could have several hackers trying to find another portal that they can access with your credentials. Luckily, there are several things you can do to prevent them from going further with your information. Here are three ways to prevent credential stuffing.
Have Different Passwords for Every Portal
This might be the most straightforward method. If you have a completely different password for each portal you use, then you never have to worry about a breach helping hackers access other ones. This does create complications, however. You probably have access to many different portals through your work, at the very least. Plus, some people have up to a hundred in their personal lives. Remembering all of these unique passwords would be next to impossible.
That said, there is a solution for this. An enterprise password manager can help to store all of your passwords in a safe and secure place. You will only have to memorize a single complex and very strong password to use them. When you go to a portal, you simply call up the right password from the tool, and you are good to go.
Multi-factor authentication requires more than just a password to access a database or portal. There are some very common ones that you’ve probably come across, and there are always innovations in creative ways to make it harder to access things.
One of the oldest and most common is knowledge-based authentication. This is when, after entering your credentials, you are then prompted to answer a security question, such as the name of your first pet dog or your oldest cousin. The hackers may have stolen your username and password, but not the answer to your security question.
A more sophisticated form of two-factor authentication requires a user to enter a password and a one-time code to gain access. Once they have entered a password, the one-time code is texted to a mobile phone number associated with the individual or generated by an app the user has already authenticated with. That way, the user would have to have the right password and the right device on hand to get access.
Biometric identity verification is an increasingly common multi-factor authentication strategy. In addition to a username and password, the user is required to authenticate with a biometric factor such as a fingerprint or facial recognition scan.
Authentication Request Limits
Have you ever gotten annoyed when you’ve entered your password incorrectly twice, and the system tells you that you’ll be locked out if you are incorrect again? You may wonder why they do that. The answer is for security. With so many attempts being made at all times with compromised credentials, a portal can shut down an account or block access if it seems like there are many attempts being made within a time frame, or even if there are many attempts to different accounts from the same IP address. Banks and financial institutions will even take it a step further and block a financial account if they sense someone is trying to access it illegally.
As you can see, with techniques like credential stuffing anyone can be a victim of a data breach. If you are an IT manager of a company or an individual who is concerned with personal data security, then you need to take steps to protect yourself or your business. These methods will help you prevent credential stuffing and keep you safe from a very common hacking technique.