How Can Credential Stuffing Be Thwarted?Interview: Troy Hunt Examines Authentication Challenges
Credential stuffing is a growing problem for service providers that's vexing to address, says Troy Hunt, creator of the Have I Been Pwned data breach notification service.
The practice refers to attackers cycling though lists of compromised authentication credentials in hopes that accounts on other services will use the same ones. One of the most notable attacks of late hit Disney+ as it launched its new streaming service.
In an interview with Information Security Media Group, Hunt says the success of credential stuffing raises questions about the controls that companies have in place to ensure that someone who has the right username and password for a service - but is not actually the legitimate person - is denied access.
"This is a hard problem to solve whilst still maintaining a system that's usable," Hunt says.
A blunt way to deal with users recycling the same password over and over again is to assign users a random, unique password. But Hunt says service providers have shied away from that for fear of alienating users. "No company in their right mind is going to do that," Hunt says.
Reputation damage - and the costs associated with cleaning up after credential stuffing attacks - could push companies to enforce strong password policies, particularly if it becomes harder to attract new subscribers due to bad headlines, Hunt says.
In this interview (see audio link below photo), Hunt also discusses:
- Why data brokers pose special risks for data breaches;
- Why credential stuffing is a vexing problem for service providers;
- How enterprises are gradually improving their password management practices.
Hunt created Have I Been Pwned, which notifies individuals when their email address turns up in breaches. A frequent speaker at conferences around the world, he runs workshops focusing on secure authentication, best password practices and how to avoid data breaches.