Using unique passwords and passphrases for each of your accounts is important to reduce the risk of credential stuffing. Cyber criminals use credential stuffing to steal from one account to gain unauthorized access to other accounts that use the same username, email or password combination. The best way to protect yourself from this attack is to use unique passwords for each of your accounts and use a password manager to help create and store them securely.
What is a password manager?
A password manager is a tool that stores all your passwords in one secure place. It can also help create strong and unique passwords for you. Password managers can suggest random passwords and evaluate the strength of your current passwords. There are free and paid options available that different features to help enhance your account security. We don't recommend using the password manager in your web browser, especially if you share your device with others. Credential stuffing attacks rely on users to reuse the same password on multiple accounts. By using a password manager, you can securely store each unique password without having to remember them.
How do I create strong and unique passwords and passphrases?
Strong passwords should be at least 12 characters long and include random numbers and symbols. Passphrases should be at least 15 characters long and include at least four random words, numbers and symbols. Avoid using personal information like your phone number, address or pet names. Don't use information that can be easily found on social media, like your favorite sports team, because this can make it easier for cyber criminals to guess your passwords or answers to security questions.
What about multi-factor authentication?
Multi-factor authentication (MFA) adds an extra layer of security to your accounts. It requires something you know, like your password, and something you have, like a code sent to your phone, facial recognition or a thumbprint. You should enable MFA whenever you can. Even though MFA is very effective, not all accounts offer it. So, it's important to use a password manager to make sure your passwords and passphrases are strong and unique.
What do I do if I get compromised?
If you think one or more of your accounts has been compromised, follow these steps:
- Update your passwords or passphrases on the compromised account(s) to one that is unique and strong
- Check your credit card and bank statements for any suspicious activity
- Report any fraudulent activity to your bank or credit card company
- Notify contacts who could be impacted by the attack, like if a phishing message was sent from your account
- Report any suspicious activity to your local police and the Canadian Anti-Fraud Centre (CAFC)
- Ensure all accounts have MFA enabled, wherever possible
- Update your password manager with the changed account credentials
Conclusion
Using a password manager and enabling MFA are great ways to prevent credential stuffing attacks. By making sure each of your passwords and passphrases are strong and unique, you can reduce the risk of cyber criminals breaking into your accounts.