background image


What is Credential Stuffing?


Passwords are often the weakest link. You use your dog names, cat names, partner, anniversary date or, our favourite, the seasons. Right now, we’re seeing a lot of Spring2020 and Summer2020 because it’s easier than having to remember a unique password every 90 days. It’s far easier to set the same password on every website and remember one… or is it? Credential stuffing is when a password you set is compromised on one platform, and the attacker tries to use it on all other platforms in order to monetize their list of passwords. Two-factor authentication enabled? No problem, they’ll try Instacart, Canadian Tire, PC Optimum or the CRA.

Password Attacks: Explained

Before digging into Credential Stuffing, it is important to first outline the various other attacks on passwords that we and the attackers use. They can be as simple as guessing from a dictionary, brute force attempting all possible combinations of letters, numbers, & symbols, making use of a single password (Welcome1), or just asking for your password via a phishing email.

  • Dictionary Attack: A dictionary attack is exactly as it sounds. It’s when an attacker walks a list of words in a dictionary (or past password breaches) and tries to guess your password. If unsuccessful, attackers try adding years, special characters (e.g., !, @, #, etc.), adjusting case and several other techniques.

  • Bruteforce Attack: A bruteforce attack is by far the most time-consuming. Most often, brute force attacks are sequential (e.g., aaa, aab, aac, aad). This is why password complexity matters so much. Uppercase, lowercase, numbers, special characters all add to your password complexity and make attacks even more time-consuming.

  • Password Spraying Attack: Account lockouts and brute force protection is often a problem. If the account being targeted by an attacker becomes locked out, it’s often not possible to try another password until the account is unlocked after the predetermined wait period. Instead of targeting one account, attackers target all accounts with a very targeted list of top 2-5 passwords to avoid lockouts. We’ve also found weak passwords are popular, and the top weakest passwords affect 1 out of 5 employees. Welcome1 often results in a compromise of 25-30% of staff.

  • Phishing Attack: Although not a conventional password attack, Phishing must be mentioned here because it’s how most employee’s handover their password. Phishing attacks are very common. It’s that Microsoft Office365 link that doesn’t seem to work, the Google Doc someone shared that wants you to sign in before sharing. Be very careful with e-mails from sources you do not trust. Never type in your password unless you’re confident.

  • Credential Stuffing Attack: Now that one of your passwords is compromised, attackers will try to figure out where else you’ve used those passwords because most people reuse passwords which is a fairly dangerous practice. Based on your location, attackers will figure out (sometimes by reading your email) which accounts you have. In other cases, they have lists of compromised usernames and passwords and they’re targeting the vendor (e.g., Instacart, Canadian Tire, PC Optimum) 

Is Credential Stuffing a Cybersecurity Breach?

While this is often reported as a breach or compromise, it is not. This is like losing your keys in the street and a burglar uses them to unlock your front door. They did not compromise the security of your home (by breaking a window or kicking in a door), they simply used your keys to open the door. You must use unique keys for each lock (or website) you use to limit its value if compromised.

This is a similar technique that administrators employ by reducing the life of a credential (i.e., change your password every 120 days). If your password is compromised, it can only be used for a limited amount of time. This is also why attackers love victims who merely increment their password to avoid remembering another. (e.g., Welcome1 becomes Welcome2). Don’t do this.

Credential Stuffing exploits the user’s tendency to reuse passwords. While it may impact hundreds or even thousands of accounts, it is not a breach but it does bring to light the requirement for two-factor authentication among other best practices.

How can you reduce the risk of a Credential Stuffing attack?

To reduce the likelihood of a Credential Stuffing attack, there are five critical controls that must be considered. They include: using unique passwords for each website, leverage a password manager, choosing strong passwords or passphrases, implementing two-factor authentication, and performing corporate password audits.

  • Unique Passwords: Choosing unique passwords is the first step to avoiding having your accounts compromised through credential stuffing attacks. If your password is unique, there’s no way that it will work on any other website. Avoid putting the website name into your password. Attackers are very intelligent and can easily guess that AmazonPass123 for Amazon means they should try GmailPass123 for Gmail.

  • Password Manager: Leveraging a Password Manager like LastPass, 1Password or any others, will help identify passwords that are compromised, reused or weak. LastPass as an example provides a security score and notifies you if any of your accounts may have been compromised.

  • Strong Passwords: Attackers need to figure out your password somehow and choosing a strong password, to begin with, reduces the likelihood of a dictionary attack or a bruteforce attack. Websites (should) store your password in a one-way hash that has been salted so that once they have been compromised, they must crack your password with either a dictionary or brute force attack. Choosing a strong password makes this far more time-consuming. Reducing the life of your password (90-120 days) may make this more difficult to crack in time. Specops Software has a great product to help combat dictionary-based passwords.

  • Two-factor Authentication: When an attacker compromises your password, two-factor is capable of rendering the password useless during authentication. After implementing two-factor authentication (i.e., logging in with the second factor of authentication: something you are, something you have) the attacker will be unable to complete the second step unless they first compromise your token or biometric.

  • Password Audits: At a corporate level, password audits simulate an attacker obtaining access to your corporate password database and attempting to compromise corporate passwords using various techniques. This is how we help organizations combat prevalent use of Spring2020, Summer2020, Company1 and more. A password audit is also helpful in identifying common root words, challenges with length and complexity, and passwords that have already been compromised.


In summary, Credential Stuffing is avoidable. It’s a problem that customers, employees, and everyone in between has created, but it’s possible to mitigate with the correct controls, education, and auditing countermeasures; these are vital to protect your business and reputation. The news headlines often read “Company XYZ breached and thousands of accounts for sale on the dark web” and never “John and Karen used the same password on every website”.

Two-factor authentication must be implemented wherever possible to reduce the effectiveness of passwords even after they’re compromised. At Packetlabs, we start our Penetration Testing by first exploring past password breaches and seeing if they provide insight into the passwords used by your staff. We do our best to find and flag any opportunity that an attacker may use to obtain unauthorized access to your systems. Schedule your Penetration Test today. Contact us to learn more about how we can help.