Credential stuffing involves using previously breached data from one service and using it on another. For example, if criminals breach a common social networking site and get a list of usernames and passwords, they can try these username/password combinations on other common services as well. When they attempt this in bulk, they’re bound to get hits on services that let them get even more sensitive information—like payment info or health records.
Fighting back: Credential stuffing relies on the fact people often reuse passwords to make them easier to remember. So make sure your employees and customers know to use unique passwords for every important service. Additionally, refresh passwords periodically to keep them from going stale. If you reset passwords frequently enough, it reduces the amount of time a breached password can be useful for credential stuffing.
Phishing and social engineering
Another common method of stealing passwords involves deception. People can often fall for a convincing (or even only slightly passable) scam. All it takes is someone clicking the wrong link in an email and entering their credentials into a convincing-looking fake website. And email isn’t the only delivery method—criminals often use social media links, SMS messages, or phone calls to trick people into giving up the goods.
Prevention: There are several ways to reduce your risk. First, a good email security solution can help reduce the amount of spam and phishing attempts that land with your customers. However, this doesn’t help with social- or phone-based attacks. Instead, offer user training to teach people to recognize potential scams. Teach them common signs of a scam such as generic greetings, poor spelling or grammar, and fake website URLs. Also, make sure they know to never give out credentials unless they’ve specifically requested communications such as a password reset or technical support from the sender. This can be particularly important for phone-based scams. For example, if someone from an online payment vendor attempts to contact a user, they should hang up and dial the main line to verify the caller is from the company. Also, don’t stop at one training—consider sending out frequent reminders of the basics of phishing and social engineering prevention to your customers. This helps customers stay alert to dangers—but also reinforces the value you provide.
Enforcing password best practices
Despite your best efforts, humans are still fallible. Even IT and security professionals can sometimes fall into poor password practices from time to time. One of the best ways to protect credentials involves using a strong password management solution to help enforce password management best practices across your team.
SolarWinds® Passportal helps your team automatically generate strong, unique passwords while retaining efficient one-click access to the services they need to do their jobs. Additionally, you can easily grant and revoke access as needed, and force password resets as needed. Plus, we use robust encryption on all passwords to make them even harder for cybercriminals to crack. Learn more today at passportalmsp.com/.
Colin Knox is director of product strategy, SolarWinds Passportal.