Jun 04 2021

How to hack into 5500 accounts… just using “credential stuffing”

Category: Information Security,Password SecurityDISC @ 2:41 pm

We all ought to know by now that passwords that are easy to guess will get guessed.

We recently reminded ourselves of that by guessing, by hand, 17 of the top 20 passwords in the Have I Been Pwned (HIBP) Pwned Passwords database in under two minutes.

We tried the 10 all-digit sequences 112123 and so on up to 1234567890, and eight of them were in the top 20.

Then we tried other obvious digit combos such as 000000111111 and 123123 (we started with six digits because that’s Apple’s current minimum length, and because we noted that 123456 came out well ahead of 12345 and 1234).

The others were equally easy: qwertypasswordabc123password1iloveyou and qwertyuiop, the last being a useful reminder that length alone counts for very little.

Strong enough for everything?

What to do?

  • Don’t re-use passwords. And don’t try to invent a technique for modifying each password slightly from an original template to make them seem different, because the crooks are on the lookout for that.
  • Consider a password manager. Password managers generate random and unrelated passwords for each account, so there are no similarities a crook could figure out, even if one of the password gets compromised. Remember that you don’t have to put all your passwords into the manager app if you don’t want to: it’s OK to have a special way of dealing with your most important accounts, especially if you don’t use them often.
  • Turn on 2FA if you can. Two-factor authentication doesn’t guarantee to keep the crooks out, but it stops attacks like this one from being carried out so easily and on such a broad scale, because the passwords alone would not have been enough.
  • Report payment anomalies. Obviously, you need to look for outgoing payments that shouldn’t have happened, and for incoming payments that never arrived. But also look out for outgoing payments that somehow failed when they should have gone through, or for incoming funds you didn’t expect, no matter how small the amount. The sooner you report any errors, even if you didn’t lose any money, the sooner you help both yourself and everyone else.

Leave a Reply

You must be logged in to post a comment. Login now.