Hypersecu Blog

Check in weekly for news, events, and security tips

3 Ways To Prevent Credential Stuffing

As many as 80% of people that reuse their username and passwords. Are you one of them? If so, you might want to read ahead to protect yourself.

According to Digital Guardian, 130 accounts are associated to the average email address. A survey by Keeper Security indicates that 87% of respondants age 18-30 reuse passwords. The statistics don't change very much with an older demographic -- for users age 31 and up, 81% still reuse passwords.

Now, why does this matter? Well, when using the same username and password for multiple accounts, you leave all of your accounts vulnerable. Billions of credentials are stolen each year. Most don't think much if an inconsequential account was hacked, something small with no credit card or personal information. But what many peole don't realize is that if you use the same username and password for multiple accounts, it makes all those accounts vulnerable. Hacking a bank directly is hard. Hacking a small company with weak security, however, is easy. Once the hacker has a set of username and passwords taken from a small company site, they can use a method called credential stuffing to gain access to more important accounts like your bank.

What Is Credential Stuffing?

Credential stuffing is when a hacker takes their database of stolen credentials and uses an automated hacking tool that applies each username/password combination to a website until it cracks. When the username/password works, they're alerted that they have access and can then do what they wish with the account. They might go on a shopping spree or use the information to steal your identity. In fact, the majority of login attempts on websites aren't actually from users logging in, but rather from credential stuffing. Forbes has reported that as many as 90% of logins to online retail stores and 60% of logins to airline sites are attributed to hackers.

With password reuse being so common, what can businesses do to protect their employees? What can individuals do to protect their accounts?

Change passwords

No one likes this, and in reality, it's not very practical. But it is the quickest solution and costs the user nothing other than a bit of effort.

Here are some quick tips to create a secure password:

  • Make them complex, 10 digits
  • Add symbols, letters, numbers, upper and lower case
  • Never use the same password for another site, even if you have 130
  • Change them every month

It can be pretty inconvenient, but it's a simple way to keep things secure.

Overall rating: 3/10

It's time consuming and complicated. If you're someone with only one or two accounts, it's a great solution. Unfortunately, many of us have dozens of accounts across many sites, and it could take quite a bit of time out of your day to change all your passwords on a regular basis.

Use a Password Manager

A password manager will let you create complicated and long passwords without struggling to remember each one or writing them down somewhere in a book that can be stolen. However, keep in mind the password manager itself is still secured by a password of its own and as we all know, static passwords are vulnerable to being stolen. In addition, when using a password manager to input your username/password to a website, it can still be vulnerable to phishing attacks.

Overall rating: 5/10

Password managers are pretty good on desktops, but they need to be updated monthly with new passwords which can be time consuming. It's also still entirely reliant on using passwords alone to secure your accounts, which is something to move away from.

Use FIDO U2F Security Keys

Security keys are the wave of the future for online security. Google's entire staff use FIDO U2F security keys for authentication; it's a trend at many major companies and more and more sites are supporting it. Not only are they secure and easy to use, they're also very affordable.

How do they work? Just sign in with a username and password, then press a button on your security key to prove you're a) physically there and b) have the right key. That way, if a hacker gets your information, they can't do anything with it unless they physically obtain the security key you own, too. This makes security keys a great choice to combat real-time attacks. And they stop credential stuffing attacks instantly. Best of all, whatever site you frequent is likely already supported. The ever-growing list services supporting FIDO U2F include SalesForce, Google, Microsoft, Dropbox, Github, Duo, Dashlane, Facebook, RSA, Twitter, IBM and more.

Overall Rating: 9/10

FIDO U2F Security Keys offer a high level of security, which is matched with a great convenience factor.

Have questions about the article? Send an email to This email address is being protected from spambots. You need JavaScript enabled to view it..

Interested in one of our HyperFIDO Security Keys? Click here for more information.