What is credential stuffing, and how does it work?

Concept art representing cybersecurity principles
Nytt DDoS-rekord (Image credit: Shutterstock / ZinetroN)

There have never been so many different cyber-attack methods – and, arguably, criminals have never been so successful, either. Credential stuffing is one of the latest methods being used by savvy crooks, but if you're on top of the topic you can avoid becoming a victim.

Credential stuffing has become popular as more password databases have been hacked. As billions of usernames and passwords become available on the dark web, criminals take those credentials and try them on different websites – because too many people reuse names and passwords across multiple accounts.

If you or your friends and family members reuse logins and passwords – and we've all done, let's be honest – then you're at a higher risk of falling victim to a credential stuffing attack.

Read on if you want to discover the details behind credential stuffing – and figure out how to avoid becoming a victim. Don't sweat if you need more computing help, either, because we've got you covered with our guides to the best photo recovery apps and a deep dive into the differences between Microsoft 365's business products.

Reader Offer: Save 55% on NordPass Premium

Reader Offer: Save 55% on NordPass Premium
NordPass provides an accessible, competent, easy-to-use solution that most people will love, according to TechRadar editors. Save 55% on NordPass Premium plus 3 months free.

Preferred partner (What does this mean?) 

What is credential stuffing?

There are plenty of methods that hackers and criminals use to try and get access to your vital accounts, and many rely on the fact that lists of usernames and passwords are routinely stolen from companies and leaked on the normal internet and the dark web.

Those huge lists of usernames and passwords are the key to credential stuffing. It works because a hacker will take this information and use bots and other automation techniques to try every combination of username and password across different websites, services and social networks.

These bots will often attempt to use different sets of credentials on multiple sites simultaneously to speed up the process, and they're trained to grab sensitive personal data automatically if one of the login attempts works.

It can often be extremely productive, because a hacker already has a list of passwords that have been proven to work at some point in time – and because too many people never change their passwords and reuse their passwords across multiple services.

So, if a hacker is particularly lucky, they'll find a username and password combination that still works across loads of different websites. And if you're the unlucky person who's fallen foul of this approach, that could mean that they've got access to your email accounts, social media pages, bank details and more.

It's a popular approach because credential hacks and leaks have rarely been more popular, with tens of billions of different usernames available online – and because the entire process can be automated.

It's a quicker and more effective process than a traditional brute force attack, which can take a long time because a hacker's equipment needs to power through every possible combination of letters, numbers and symbols. Because credential stuffing attacks use proven passwords, they're often more successful than a dictionary attack, too – just because that method uses common words, it doesn't mean it's going to work.

The combination of huge password leaks, sophisticated bot farms and people's lax password security means that credential stuffing is here to stay – unfortunately.

How to avoid credential stuffing attacks

It's almost inevitable that your usernames and passwords will find their way onto the dark web at some point, but there are sensible steps that anyone can take to avoid falling foul of credential stuffing attacks and other kinds of hacking attempts.

Your first step should be ensuring that you have strong passwords for all your accounts. You should use unique passwords for every service to ensure that a hacker can't use the same details to access different sites.

Alongside creating unique passwords for every service, you should develop longer passwords that use a combination of letters, numbers and special characters in upper and lower case. Avoid words, common phrases, proper nouns and sequential numbers, too, and you'll have a robust password.

That's a lot to remember, so we'd also recommend using a password manager. Deploy one of these tools and you won't have to remember each username and password combination – it'll do it for you, and secure the data behind strong encryption. Don't worry if you're not sure where to start, either – we've already rounded up the best password managers.

A top-notch password manager will also generate secure passwords. The best password managers and security tools also include dark web monitoring that will alert you if your credentials have been exposed in a breach. While that's undoubtedly annoying, alerts mean you'll be able to change your passwords before hackers can exploit the leak.

You might not be able to avoid leaks and hacks forever, but there are steps you can take to ensure your security if the worst happens. If websites, apps and services support it, deploy multi-factor authentication. This security feature demands that you provide extra proof of your identity if you try to log in – sometimes it's fingerprint or facial recognition, on other occasions it comes from external apps and other services text a unique code to your phone.

It's a crucial addition to your security arsenal. If you've got multi-factor authentication turned on, a hacker won't be able to get into your account even if they've used credential stuffing to find the right password – because they won't have the other bit of information or identification that grants access.

We'd also recommend examining the settings on your apps and accounts, because you can often specify that an app demands a password change if you get it wrong a few times in a row. That's a neat way to stop bots from trying to guess your password repeatedly.

Beyond these worthwhile security tips, we also recommend changing your passwords every three or six months. Because while leaks and hacking attempts are inevitable, a credential stuffing bot won't get very far if they're using a password that you've already changed. Many password managers will generate new passwords for you and provide reminders to change them, and lots of tools will also alert users if they've got weak passwords in their database.

Credential stuffing is a nefarious and sophisticated hacking method, and it's not likely to go away any time soon – like brute force and dictionary attacks, they work too often for cybercriminals to leave them behind. But if you're aware of the dangers and you follow these tips, you'll keep your data safe and stop any hacks before they've begun.

We've listed the best internet security suites.

Mike has worked as a technology journalist for more than a decade and has written for most of the UK’s big technology titles alongside numerous global outlets. He loves PCs, laptops and any new hardware, and covers everything from the latest business trends to high-end gaming gear.