ProtonBlog(new window)

Credential stuffing is a popular type of cyberattack where attackers take login credentials and use them on thousands of websites, hoping to fraudulently gain access to people’s accounts. It’s an effective attack, but fortunately, one that’s easy to prevent. 

This article examines credential stuffing in greater detail and explains how you can protect against it.

What is credential stuffing?

A credential-stuffing attack is when an attacker takes people’s usernames, email addresses, and passwords (the credentials) and uses automated tools to inject them into as many sites as possible (the stuffing). In almost all cases, the attackers get these credentials from an earlier attack or a data breach, like the one that affected Dropbox(new window).

How a credential stuffing attack works

The fact that many people suffer from password fatigue(new window) is what makes credential stuffing an effective attack. As many as 65% of people(new window) reuse their passwords on multiple accounts, meaning if their passwords ever get exposed in a breach, all those accounts would be at risk. 

For example, if you had an account with an online service using jimmysmith92 as your username(new window) and password123 as your password, a credential stuffer would use automated software to try as many other services as possible to see if you used that combination of username and password elsewhere. If so, they get easy access to another account.

Credential stuffing is usually categorized as a brute-force attack (where an attacker uses software to “guess” a password by trying every possible combination of letters and symbols) as it relies on the same principle. Only instead of trying every possible password to access a single service, credential stuffing uses a single password and tries it on every website and service.

The regularity of massive data breaches makes it easy for attackers to perform credential stuffing, and while verifiable numbers are hard to find, the prevalence of reused passwords suggests they’re effective. According to access management firm Okta(new window), 34% of access attempts via its platform are identified as credential-stuffing attacks. 

How to prevent a credential-stuffing attack

As common and successful as they are, there is a surprisingly simple way to protect against credential-stuffing attacks — never reuse your passwords. If you protect every single one of your accounts with a unique and random password, credential stuffing won’t work on any of your accounts — and other brute-force attempts will likely fail, too.

To create strong, random passwords(new window) that are almost impossible to crack for most computers, you need to use a password generator. Of course, this leaves the issue of remembering all these new, random passwords, which is nearly impossible for most people.

This is where password managers(new window) come in. These are programs that can store passwords for you and then fill them in automatically whenever you need them. There’s no overstating how useful password managers are. They’re a huge upgrade to your digital quality of life, as well as adding to your online security.

How Proton Pass can help

As your password manager contains so much valuable information, it’s a good idea to get one that’s as safe as can be, which is why we developed Proton Pass. Like all Proton products, it uses end-to-end encryption(new window) to keep data safe at all times, meaning that even in the unlikely event we do experience a breach, all your data would still be safe.

Proton Pass comes with a built-in password generator, as well as the option to store and autofill passwords and credit cards and even add secure notes. All this information can be shared with friends and family when needed and remain secure.

On top of this, Proton Pass also lets you create email aliases that shield your real email address from marketers and cybercriminals, offering another layer of protection against credential stuffing.

If you would like to be safe from credential stuffing yet also have an easy-to-use password manager that lets you do more than just store passwords, create a free Proton Pass account today.

Protect your passwords
Create a free account

Related articles

passwordless future
With the advent of passkeys, plenty of people are predicting the end of passwords. Is the future passwordless, though? Or is there room for both types of authentication to exist side-by-side?  At Proton, we are optimistic about passkeys and have int
At Proton, we have always been highly disciplined, focusing on how to best sustain our mission over time. This job is incredibly difficult. Everything we create always takes longer and is more complex than it would be if we did it without focusing on
is icloud keychain safe
If you’re on any Apple device, you’re familiar with the iCloud Keychain, the Apple password manager. It’s a handy tool that stores passwords for you and helps you manage your logins.  For a program that stores all your most sensitive data in one pla
We recently announced that Proton Pass now supports passkeys for everyone across all devices. Universal compatibility is a unique approach to implementing passkeys, unfortunately. Even though passkeys were developed by the FIDO Alliance and the Worl
How to upload and share private video
Your private videos are for your eyes only. However, not all cloud storage services are good at storing videos securely, let alone privately. In this article we explain what you can do to keep file sharing companies from having access to the videos y
Many email services, citing security reasons, require a phone number for identity verification. This creates an unfortunate paradox in which you must give up a highly sensitive piece of personal data to Big Tech. But there are simple ways to create
Can you password-protect a folder in Google Drive?
Protecting a folder with a password is a simple yet effective way of securing files. You may wonder whether you can password-protect a folder in Google Drive. We explain what access controls Google Drive offers and what you can do to improve your sec