NCSAM 2019 - Credential stuffing, how your password can be used against you

Back to ITS Updates

Welcome to the first weekly installment of National Cybersecurity Awareness Month (NCSAM).  

With every online service prompting for a login, our credentials (e.g. passwords) have become the gatekeepers to our digital lives. Yet, credential-based attacks are on the rise and have become the favored tactic used by attackers and cybercriminals. According to the 2019 Verizon Data Breach Investigations report, roughly 29% of data breaches involved the use of stolen credentials. The reasons for the success of these attacks are due in part to how we, as humans, tend to create and use passwords. 


Behavioral tendencies when it comes to passwords

A recent Virginia Tech study compiled a dataset of more than 61 million passwords for approximately 29 million users. These usernames and passwords were gathered from 107 online services that had previously suffered a breached over a period of 8 years. In analyzing the data, researchers uncovered some surprising human tendencies and behaviors when it came to creating and using passwords. They found that roughly 38% of the users had reused the same password on multiple sites. Online shopping websites, which store sensitive credit credit information and home addresses, had the highest ratio of reused passwords at 85%, while email services came in second, accounting for more than 62% of passwords having been reused. Researchers also discovered that password complexity requirements had the opposite intended effect, effectively decreasing security as password changes resulted in new passwords with less variance. Their custom developed algorithm was successful in guessing 30% of the changed passwords in less than 10 attempts.

Using the same dataset, other researchers uncovered the practice of creating passwords using a method coined “password walking” - pressing adjacent keys on the keyboard in a predictable pattern to appear random. Other findings were the tendencies to create passwords based on societal references and cultural influences. With potentially hundreds of accounts, its not difficult to see that people just have a difficult time creating and memorizing good passwords.


Problematic Passwords: Password Walking

Image Source: Dashlane


Using our passwords against us

Attackers exploit these human tendencies and behaviors to their advantage. To begin, an attacker simply obtains a large cache of previously exposed usernames and passwords. For example, the same set of usernames and passwords compiled by the Virginia Tech study, are also available for sale or download on the dark web. Much larger databases, such as the infamous “Collection 1” containing a whopping 773 million records, are bartered, sold and traded amongst cybercrime gangs. Coupled with our tendencies and the increasing number of compromised websites, life will only get easier for the attacker.  

Once compiled, these massive lists are used in hacking tools that automatically log in to online services and websites by attempting each username and password combination. This attack technique, referred to as credential stuffing, takes advantage of our tendency to reuse passwords. The convenience of reusing a password has now become an advantage to attackers, as they only have to try a limited number of passwords before successfully guessing the correct one. Taking very little time to complete, these attacks are performed using large armies of botnets, or compromised machines controlled by an individual or cybercrime group. Once any password has been compromised, leaked or publicly known, it can easily be used in a credential stuffing attack. 

Image source: Cloudflare


Account takeovers and Business Email Compromise

The end result of a credential stuffing attack is an account takeover. With access to your account, an attacker can impersonate you and take actions on your behalf. Depending on the type of account, damages could range from minor inconveniences to significant financial or reputational ruin. For example, losing access to your Twitter or social media account can result in an embarrassing tweet or message to a friend or colleague. However, if your email account was compromised, an attacker can read all your emails and send some on your behalf. An attacker can also delete any sent emails, masking their access and making incident response or security investigations more difficult. With access to your email account, an attacker can also perform a password reset to other services and websites where that email address was registered, further extending access into your digital life. 

Business Email Compromise (BEC) is a particular type of account takeover. As noted by the Federal Bureau of Investigation, BECs are becoming an increasingly significant threat to both individuals and organizations. Leveraging a compromised email account, a cybercriminal can persuade other employees in the organization to take seemingly legitimate actions. For example, fraudulent actions could include initiating a payment or wire transfer to a foreign account, or requesting a direct deposit change that redirects a monthly paycheck to someone else. 


Light at the end of the password tunnel

Hopefully, we can now see the daisy chain of events that started with picking a simple password, or choosing to reuse the same password on another site. For this year’s National Cybersecurity Awareness Month (NCSAM), we want to stress the importance of securing your own accounts, both at Colgate and home. While shining a light on the cybercriminal underground can look dreary, all hope is not lost. There are many proactive steps we can take to ensure we don’t fall victim. Follow these tips and guidelines for securing your credentials and managing your passwords.

  • Think of passphrases, not passwords - A longer password is generally more secure. Consider stringing together words to form a longer phrase. 
  • Make it unique - Start with creating a new unique password for the most critical accounts, such as email and banking. When possible, make all your passwords unique. 
  • Make it memorable - Picturing the words in your head, such as a turquoise trombone, will make them difficult to guess but easier to remember. 
  • Enable Two Factor Authentication (2FA) - Passwords alone are not enough, so enable 2FA wherever it is supported. 2FA will send a separate confirmation to a device or account to verify it is indeed you trying to log in.
  • Use a password manager - Password managers can generate and store strong, unique passwords for each of your accounts. The password data is encrypted and stored in the cloud or on your device so you do not need to memorize them.


Was this information useful? We're always adapting and changing, just like hackers. Please feel free to send us feedback. We'd love to hear from you and make Colgate more secure.