• Melissa Whiteside

Avoid Credential Stuffing with Stronger Passwords

In the vast world of data breaches and malware, the username and password you use for one of the sites you visit have a high likelihood of being leaked onto the internet in some dark web forum. If you reuse the same password and email on multiple sites, then you open yourself up to a technique called credential stuffing.


Credential stuffing is when the username and password from one data breach are tried against the login of many other sites with the hope being the user uses the same credentials on multiple sites. The best way to avoid having one data breach affect all your other accounts is to use a different password for every website. Doing that makes it hard to remember them all because they should be unique and not the same password with little variations such as putting the website name at the end of your password. Almost every website requires you to create an account to view anything. Solving this problem is easy; you just need to use a password manager because then you only need to remember one good password. 


Checking your accounts for data breaches

A new data breach: a misconfigured database server or malware data dump, seems to be showing up almost weekly. It is a good idea to check if any of your accounts have been leaked. The best website to check this is have I been pwned?. You enter the email you want to check, and the site will tell you if it’s been in any known data breaches and what was leaked in that specific data breach. Usually, it’s any personal information you entered on the site and the hashed password. If it says plain text passwords, then your actual password has been leaked.


Picking a good password

The password you use for your password manager should be unique and complex (16 characters minimum, a capital, a number and a symbol). An easy way to do this is to come up with an acronym such as Congratulat!ons_Accurate_Troublesome_Stenograph!c_0319. This password is long, has a simple acronym to remember (CATS), the symbols are where the ‘i’ would be and the number could be your birth month and day. The symbol replacement is a common change, but the added complexity does make brute-forcing that much more difficult. You can think of anything you want, the more random and unique the better.

The password above has 157 bits of entropy which will take 5.79e28 years to break; based on the entropy report from KeypassXC. KeypassXC mentions the user not having to worry about a hacker cracking a hashed password; which for a password manager is a valid point, but for a website that has had a data breach then the hash is what bad actors attempt to break which they can guess at over 10,000,000,000 hashes per second with easily obtainable hardware. So you only have to remember that one complex password and then have the password manager generate the rest of them at say 32 characters with even just lower case, upper case and numbers and your passwords will be around 150 or more bits of entropy (unrealistically breakable). The amount of entropy (randomness/uniqueness) can be increased if you use misspelt words because they won’t be found in dictionaries.


Picking a good password manager

There are many password managers available to choose from. Here are some recommendations based on personal experience; Lastpass, Dashlane, Bitwarden, and KeypassXC.


Bitwarden is an open-source password manager that works great, supports organizations and password sharing. The open-source nature of it is great because you can run your server and have complete control over your data. The browser extension is simple, intuitive and has good customization options. A great feature of Bitwarden is how well it handles multiple logins for the same website; just select the login you want from the drop-down in the right-click menu. This is a good choice if you want complete control, although it does take some time to set up and some knowledge of servers to properly implement.


Lastpass is the best free enterprise-level password manager. It integrates smoothly with all major web browsers and users rarely have any issues. It has everything you would need, it syncs between devices, helps you fill in forms. If you're looking for a simple and effective password manager, we suggest Lastpass.


Dashlane is the most expensive at over $50 CAD a year, there is a free version, but it only works on one device. The benefits for paying are limited however because even if the support is good, we foresee the major issue people have is they forgot their password and that cannot be fixed by support because they have no way of decrypting the data without your master password.


KeyPassXC is a desktop password manager, it does not sync but it does allow the user to specify a different hashing algorithm such as argon2 (which won the password hashing competition in 2015). You can set it up to have the database stored in dropbox or on a usb so you can access it anywhere but it’s not as convenient as the other options. One of our developers uses it as a secure, local backup up all their passwords and sensitive notes such as payment information and recovery keys.


In terms of security, all the above password managers use the standard, tested encryption options. A feature that all of them should implement is the ability to specify the algorithm used for encryption except KeypassXC because it already does. This is a minor issue though because if you have a good master password for your password manager then someone breaking into it is practically impossible.

When you give your data to many different websites, some have amazing security requirements, some not so much. If you give a website your data, then it should be protected by a good password. Memorizing a plethora of passwords is awful and prone to saying I “forgot my password”. A password manager is the best way to protect yourself and only memorize one password. This is especially true for any website that you enter payment information into. A final recommendation would be to avoid saving your payment information on any website because then you don’t have to worry about it being in a data leak.


Author: Graham Seaman

29 views

(780) 664-2221

10160-103 Street, NW
Edmonton, Alberta
T5J 0X6

©2018 Switch Engineering.