How To Stop Password Thieves

Combating Credential Stuffing – Credential Theft

Recent cyber attacks have put businesses across the country on edge. Ransomware attacks like that in Borger last summer, are just one type of cyber attacks businesses may face. We are especially concerned about the rise in login-credential related attacks, also known as credential stuffing. There has been a 450 percent increase in these attacks since 2019, according to the 2021 ForgeRock Consumer Identity Breach Report. One of the most notable cyber attacks of 2021, the Colonial Pipeline breach, was the result of stolen credentials. Learning the tools for combating credential stuffing is important for your business cyber security.

What Is the Current Threat of Cyber Crime?

Of particular concern are attacks resulting from stolen credentials. We live in a society that requires passwords for everything from online shopping to downloading an app for work; our world is more socially engineered. More than one billion records have been compromised in the U.S. alone. According to the OAIC, 79 percent of cyber breaches are a result of compromised credentials. The demand for stolen credentials is enormous and growing.

>>Ready to secure your data? Access the cyber security essentials checklist.

How Are Stolen Credentials Used?

Once a hacker gains access to your credentials, they have a few options to transfer them into cleartext. The attackers can either crack your credentials themselves, or sell the hashes to someone else who has more advanced skills and experience with credential stuffing. When your password is translated into cleartext, it gets added to a collection of thousands of others and sold as a stuffing list. The attacker will then check every password on the list against thousands of websites and generate a list of what credentials work where.

Is My Password Predictable?

When a password has been hashed, it is scrambled for security purposes. Even hashing can’t protect you from the dangers of using a simple password. Although length doesn’t correlate to security, most passwords are too short at just seven characters. Our CEO took time at the start of the pandemic to break down what makes a strong password, as well as his recommended password management systems.

Aeko Tech Tips:

You might think you’ve outsmarted hackers, but these common changes are now well-known:

  • Swapping O for 0
  • Swapping S for $
  • Adding an ! at the end

Exposing the Types of Credential Stuffing

There are a variety of types of credential hacking, including phishing, spoofing, crypto-jacking, polymorphism, fileless malware and malicious insiders. Let’s dive deeper into three of these hacking types, but you can always contact our team to learn more about other threats to be aware of.


Phishing kits are selling rapidly on the dark web. They are typically bought with cryptocurrency for anywhere between $50 to $100. They can be purchased in any language and configured for any type of attack. One of the best ways to prevent phishing attacks is to take a minimum of 20 seconds to review an email before you click on a link within it. If you open a website from an email, check the domain before proceeding to enter your login information. You can also look to see if your password keeper populates on the site; it won’t if the domain is even slightly off.

Fileless Malware

Fileless malware is launched without a download. It leverages trusted binaries such as PowerShell, referred to as LOLBins, which are legitimate projects that are hijacked by malware. This type of attack is used to steal data like login information, or to crypto-jack users.

Malicious Insiders

The threat of malicious insiders is a tough pill for many employers to swallow, but it must be addressed. Insider attacks are usually financially driven. Prevention tips include reducing the amount of damage possible through separation of duties, rotating jobs, watching employee actions and checking your logs.

How to Combat Cyber Security Threats

Creating a strategic cyber security plan is a key step in implementing better cyber security practices and combating credential stuffing.

Better cyber security starts with a risk assessment. There are seven steps in an effective assessment of cyber security:

  1. Assess the value of assets in your network
  2. Prioritize your assets
  3. Identify possible threats to your network
  4. Assess the weaknesses that may be exploited
  5. Analyze existing controls to your environment
  6. Document your security processes
  7. Repeat the risk assessment

You can use this assessment to develop your strategic cyber security plan. Your plan should include employee training and the utilization of a powerful security stack to mitigate cyber risks. A security stack may include dark web monitoring, multi-factor authentication, remote monitoring and management, backups, security training, cyber insurance and more depending on your business’s size and industry. By layering services, you can bulletproof your cyber security management.

How to Test Your Passwords

Using a formula to determine password entropy, or how disorderly it is, is a mathematical tool to test your passwords.The higher the “E”, or entropy, the better the password; a score over 60 is preferable. 

E = log2 (RL)

E = password entropy

R = pool of unique characters

L = number of characters

The University of Illinois at Chicago offers an online password strength calculator that does not send your password out over the internet. 

You don’t have to handle IT alone.

Seek a tested partner to execute your risk assessment and implement a reliable security stack. If your small or medium-sized business is in need of cyber security assistance, including combating credential stuffing, book a consultation with our Fort Worth IT services firm.

Posted in

Are you aware of the most common cyberattack methods?

Did you know there are over 3.4 billion phishing emails sent every day? Phishing and other cybercriminal behavior are a lot more common than you’d think.

Our free “Phishing, Smishing, Vishing, Pharming? A Cyberattacks Guide” will inform you about cyberattack methods and give you the latest in data security tips. 

Phishing Smishing Vishing Pharming Download Promo

Download Now

Pilot Takeoff Icon

The Aeko Tech

Our goal is to share our IT services knowledge with our region. On our blog, we share the latest cyber security threats and technology news.