Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

What Is Credential Stuffing?

Simpler than it sounds.

Credential stuffing: less complicated than the fancy words imply and easy to prevent.
A line of dominoes on a sleek, modern table. The first domino in the line is labeled "Your Password", and the subsequent dominoes are labeled with generic online service categories like "Email", "Social Media", "Banking", etc. Each domino represents a different aspect of one's digital life, illustrating the concept of how a single compromised password can lead to a chain reaction affecting various online accounts.
(Image: DALL-E 3)

Security experts often express concern about something called credential stuffing. It's a way hackers gain access to online accounts.

The good news is that it's easy to understand.

The better news is that it's easy to prevent.

The bad news is that too many people don't.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

Credential stuffing

Credential stuffing is when hackers use stolen login information from one site to try to sign in to other sites. You can prevent it by using unique passwords for every site, ideally managed by a password manager.

Credential stuffing in simple terms

Credential stuffing is nothing more than using your credentials (login ID and password) from one service to attempt to log in to other services.

Say you have a Gmail account with username "example@gmail.com" and password "areallygoodpassword". Somehow your Gmail credentials are compromised and end up in the hands of a hacker.

A credential-stuffing attack looks like this:

  • The hacker tries to sign in with "example@gmail.com" and "areallygoodpassword" at Outlook.com.
  • The hacker tries to sign in with "example@gmail.com" and "areallygoodpassword" at Facebook.com.
  • The hacker tries to sign in with "example@gmail.com" and "areallygoodpassword" at a popular bank.
  • And so on and so on ...

IF you used the same email address and password at any of the online services the hacker attempts to sign in to, they gain access to the account. It doesn't even matter how good that password is.

Think of it as a row of dominos. Tip the first one, and the rest follow and fall.

It's a popular attack. The reason it's popular is because it works.

Prevent credential stuffing

You can already see where this is going. The attacks are successful because people use the same password for more than one site.

To protect yourself, don't do that. It's as simple as that.

Use a different password for every site or service that requires one. That way, if any of your credentials are compromised at one service, the damage is limited to that account.

Cue the objection: "How am I supposed to keep track of all these different passwords?"

That has a simple solution as well.

Use a password manager

I don't care which one1, but password managers (AKA password vaults) are the solution.

You don't have to keep track of all the different passwords; your password manager does it for you. You don't have to dream up secure passwords; the password manager can do that for you. Your passwords can be longer than you can remember; the password manager can make 'em long and strong.

Password managers are safer than every other alternative.

And they're perfect for preventing credential stuffing.

Do this

Use different passwords for every online account. Use a password manager to keep track of them.

You'll no longer be vulnerable to credential-stuffing attacks. It's as simple as that.

Also simple: Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

Podcast audio

Play

Footnotes & References

1: OK, ok, I do care, but that's not what this article is about.

3 comments on “What Is Credential Stuffing?”

  1. Unfortunately, Google is actively trying to proliferate credential stuffing by getting you to use your Google credentials to log into just about every witesite. So does Facebook. Don’t do it. You’re not in good hands.

    Reply
  2. Don’t some sites leave some kind of token behind on your device if you check the “remember me on this device” box when signing in the first time? This should prevent a sign in attempt from another device and result in a notice to you I would assume.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.