Credential Stuffing - Hackers, Password Managers and Us
I've written about Passwords, password management, and how to overcome our limited capabilities to remember things in the past, But last month's LastPass issue (reported on Bleeping Computer) highlights an interesting case.
This event started for the LastPass users like this...
Someone tried my @LastPass master password earlier yesterday and then someone just tried it again a few hours ago after I changed it. What the hell is going on?— Valcrist (@Valcristerra) December 28, 2021
Now as it turns out the LastPass security alert system allegedly sent out alerts "in error" -
Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved.
Which is great news for LastPass users (and LastPass themselves). But the first theory suggested by LastPass was that someone was Credential Stuffing. And that's what I want to talk about.
As you may or may not know, there is at least one enormous, curated list of compromised credentials for sale on the darker side of the internet. And while I've never laid eyes on it, it's part of the source behind the fantastic website haveibeenpwned - which allows people to check their email or password to see if either turns up in these lists.
Now, Credential Stuffing is the process of taking a known pairing of usernames & passwords and trying to gain access elsewhere with that same pair. It is categorised within Brute Force by OWASP as the probing is done in the same way, but it is more targeted as it uses only the known pairs of usernames & passwords across various systems.
Important take aways from the idea of Credential Stuffing:
Use Mutli-Factor Authentication
MFA is becoming more and more available for good reason. Having a second login qualification that isn't a "known" thing like a password has almost become a requirement.
Don't reuse passwords for important systems
If you have unimportant accounts that you don't mind: being taken away from you, being impersonated on those platforms, having all the personal information you've provided those services being harvested - then sure. Why not.
Avoid using simple & obvious incremental parts in your passwords
When the cat is out of the bag, curators and hackers can see your passwords. It then becomes trivial to raise or lower any numeric values by one.
Make use of a Password Manager
Like LastPass, there are a bunch of different password manager offerings out there - some online and centralised, some offline and local to you. For example:
Offline / Local: KeePass - Windows only with a dated look, but is very useful and allows nesting of folders. It also has a very long list of unofficial versions for other platforms like Android, iOS, OSX, Blackberry and various browsers (KeePassXC is one of those versions and runs on Windows, Mac and Linux). Swifty may turn out nicely, but it hasn't reached release 1.0.0 yet, so we'll see.