In their effort to protect their customers from a range of modern threats, managed services providers (MSPs) may encounter a strategy known as credential stuffing.
This hacking technique involves rapidly inserting large numbers of usernames and passwords—often collected from corporate data breaches—into the login fields of other sites and digital services.
While the success rates for credential stuffing may seem low on paper—RSA reports they average between 0.5 and 3%—it requires that hackers have access to massive volumes of credentials, which may include credit card numbers, data that could be exploited as part of a phishing scheme, and other forms of profitable data.
Even if only a few credentials provide access to other accounts, the effort is often worthwhile for hackers. According to the FBI, credential stuffing has even been responsible for a large number of recent hacks carried out against banks and other financial institutions.
Credential stuffing has been used successfully by hackers throughout the past decade, as massive data breaches from popular sites like Dropbox, LinkedIn, MySpace, and others have provided hackers with millions of username and password combinations.
The increased success of these hacking campaigns in recent years is due in large part to what are known as Collections 1-5, which are massive troves of login credentials aggregated from multiple data breaches and thousands of sources.
These are available in plaintext via torrent and are used by enterprising hackers to push their way into vulnerable accounts. Collection 1 alone contains 772.9 million unique email addresses and 21.2 million unique passwords.
How MSPs Can Help to Prevent Credential Stuffing
The best and simplest way to protect against credential stuffing attacks is to ensure that each end user has a unique password for each of their accounts. However, this approach can be difficult to fully implement and enforce without a network password manager or credential management system that requires end users to create unique passwords. This is where MSPs can play a significant role in establishing and maintaining password security best practices for their customers.
Password managers not only allow end users to easily create unique passwords for their accounts, they act as secure password repositories—meaning passwords can be incredibly complex because users don’t actually have to commit them to memory.
Many password managers also include functionality to help users routinely update passwords to prevent them from going stale, and some will even alert users if any of their credentials appear in new public data dumps and automatically trigger password resets.
Additionally, built-in multifactor authentication adds another layer of security in the event that hackers do acquire passwords. While multi-factor authentication on its own is insufficient protection, it is a critical part of hardening the security of password managers. If a credential stuffing attack lands a successful result, an additional form of identity validation through a token or SMS can help prevent unauthorized access.
The combination of a password management system with multi-factor authentication should prevent the vast majority of credential stuffing attacks from being successful. Still, on the off chance an attack does land, or if a customer has been the victim of fraudulent activity in the past, there are a couple of additional strategies that can help prevent a future breach.
MSPs can help customer companies adopt a number of new methods to help shore up their security countermeasures—without interfering with or denying access to legitimate site activity.
Keeping your customers protected
Credential stuffing is incredibly difficult to stop and isn’t likely to go away anytime soon. MSPs need to provide customers with a multi-faceted approach to maintaining password integrity.
A powerful credential system like N-able™ Passportal™ provides your customers with industry standard encryption, intuitive password generation and storage, and even offers end users a seamless way to manage both their private and professional passwords from the same console.
Passportal helps create strong and unique passwords, while also making it simple to audit end user compliance and track specific credentials.
If this information is helpful to you read our blog for more interesting and useful content, tips and guildelines on similar topics. Contact the team of COMPUTER 2000 Bulgaria now if you have a specific question. Our specialists will be asiisting you with your query.
Content curated by the team of COMPUTER 2000 on the bases of marketing materials provided by our partners/vendors.
Follow us to learn more
CONTACT US
Let’s walk through the journey of digital transformation together.