Learning Password Security Jargon: What Is Credential Stuffing and How It Will Get You

You came up with a strong password. It has everything: numbers, uppercase letters in the middle, a couple of well-placed ^s and $s, and it ends with an upside-down question mark. Perfect. Now you can use this password on your every account.

And that’s how they get you.

Do not reuse your password, please

Your password can be virtually unguessable, but it won’t matter when a website you visit gets hacked, and that ultra-secure password ends up on the web. And once your login credentials are out, hackers can use them to get into your other accounts.

This is the essence of credential stuffing. If you reuse your passwords, hackers can reuse them too.

Never has it been easier to be a hacker

Anyone can buy huge collections of leaked passwords on the web. Better (or worse) yet, they can download them for free through P2P networks.

These gigantic collections contain multiple data breaches. For example, the infamous Collection #1-5 offers 2.2 billion unique username and password combinations. Anyone with an internet connection can find them online in plaintext.

Once the attacker-to-be gets the trove of credentials, they can start “stuffing” them. Usually, to break into an account, an attacker needs to send out numerous login requests. That’s where credential stuffing tools (also found online) come in handy.

Since inserting millions of passwords into millions of boxes by hand isn’t an option, attackers automate these attacks. They also bounce the requests through proxy servers to hide the fact they’re coming from the same IP. Credential stuffing tools also mask the attacker’s browser and find a way around CAPTCHAs.

Protect yourself from credential stuffing in 3 steps

  • Step one. Do not reuse passwords.
  • Step two. You will reuse your passwords because you can’t remember them.
  • Step three. Get a password manager. We recommend NordPass, obviously. It will safeguard your every password and auto-fill online forms. It’s more of a hassle not to use NordPass than to use it.

No such thing as foolproof online security

You can’t be absolutely safe online because you can’t know or control everything. Are the apps, websites, or online services you use secure? Sometimes. And sometimes not. Sometimes they claim to be secure until they prove otherwise.

That’s why you have to use every security measure available to you. Create unique and strong passwords for your every account and change them on a regular basis.

Start now. Check whether your credentials have been exposed in any known breach here. Enable 2-factor authentication on every platform that provides this option.

And get a password manager.

Monica Webster
Verified author
Monica is the spirit of our content team. Her bubbliness and creativity sparkle her articles. She loves to investigate various security related problems and bring useful tips to readers. When she is not writing about technology, she explores art.
Subscribe to NordPass news