Why Password Variation Is Critical: Credential Cracking & Credential Stuffing


Recently, there have been two high-profile customer data breaches in the news that are examples of credential cracking and credential stuffing: on November 9th at Dell Computers and on October 31st at Dunkin Donuts. The Dunkin Donuts incident required all DD Perks members to change their passwords. Let’s dig a little deeper and look at the significance of these data breaches and what hackers are busy doing these days.

Credential cracking has been around for a while. Using a software application that runs automated tasks over the Internet (a.k.a., a bot), a hacker takes a list of user accounts (without passwords) and by deploying a brute force attack, continues to try various word combinations to unlock the password associated with that account. Once the password has been obtained (or “cracked”), the hacker can easily change the password so that the original user no longer has access. Since many people use the same password across numerous accounts, a practice known as credential stuffing, the hacker then attempts to crack additional accounts using the same password.

Many of us have had the experience in which we’ve tried to log in to a previously available site and found that our credentials no longer work. This is a very popular hacker tactic to use on Gmail and Yahoo email accounts since the usernames are so readily available. This hijacking of our accounts is not only frustrating but also costly.

Newer hacking software tools are both inexpensive and readily available, enabling hackers to apply all of the username and password combinations they have discovered to launching new attacks on multiple sites. These sites include banks, department stores, utilities, and online commerce platforms, which generally store sensitive information such as bank account and credit card numbers.

In a few cases, hackers who have discovered multiple username and password combinations for a particular site will attempt to use the information to convince the site that they have been hacked and extort money in exchange for deleting the data they acquired. Now when a site does get hacked and multiple credentials are acquired, credential stuffing activity picks up dramatically as hackers try to find other accounts and sites using that same login/password combination.

If you are diligent about your online security and you do not ever reuse a password, then credential stuffing could never work against you. Unfortunately, according to one recent survey, 81% of users have reused a password across two or more sites, and 25% of users employ the same password across a majority of their accounts. Juggling and recalling numerous passwords for all your accounts may seem arduous, but there are numerous password apps and software available to help you manage this necessary function. The conclusion is obvious: don’t use the same password across multiple sites or you will make yourself vulnerable to hackers and their credential stuffing campaigns.

If you have concerns about the security of your business data or about the password security of your employees, please give us a call.

Authored by Donald Nokes