Between the year-end holidays and breach fatigue, it’s easy for consumers and organizations to fall into a sense of complacency around cybersecurity. Cybercriminals know this, so while many people are vacationing, they’re hard at work.
Case in point: Numerous users of the LastPass password manager have been receiving disturbing emails over the past few days, warning them of login attempts using their master passwords. LastPass told BleepingComputer that the company’s customer base was being targeted by credential stuffing.
What Is Credential Stuffing?
Credential stuffing is an automated attack where cybercriminals purchase lists of username and password combos harvested during data breaches, then bombard target systems with them to see if any work. This attack takes advantage of two common password security mistakes:
- Despite repeatedly being told not to, many people reuse passwords across accounts, including across personal and work accounts.
- Despite repeatedly being told to do so, many people don’t enable multi-factor authentication (2FA) wherever it’s supported.
Keep Your Passwords Close; Keep Your Master Passwords Closer
Credential stuffing attacks can target any type of online account, including password managers. The LastPass situation illustrates why it’s critically important for everyone to use strong, unique passwords for every account and enable 2FA wherever it’s supported.
Organizations that use enterprise password management systems (EPMs) like Keeper can go a step further and ensure their EPM performs device verification checks before allowing employees to log in. If the device or IP address wasn’t previously registered with a user’s account, the login fails. In addition, it’s important that a modern authentication system prevents enumeration attacks, where threat actors use automation to “iterate” through numeric or alpha-numeric sequences to determine the existence of an account.
Start a free trial of Keeper today and protect your business from password-related data breaches.
The potential threat of credential stuffing and enumeration attacks is one reason why Keeper’s engineering team rebuilt the entire login and authentication infrastructure back in 2019 to address several advanced and complex challenges:
1. Enforcing device verification prior to allowing a user to even attempt login. By ensuring a device is approved before authentication attempts, an attacker cannot brute force test a user’s Master Password. Several device verification methods are supported such as Push-based, Email and TOTP code entry.
2. Enforcing 2FA prior to making attempts on the Master Password. This technique is another layer of protection against brute force and credential stuffing attacks against a user’s vault, even if the device verification step is passed.
3. For Enterprise implementations using SSO (such as Azure, Okta or Jumpcloud), using device-based Elliptic Curve cryptography to decrypt vaults locally, after the user has successfully authenticated against the SAML 2.0 identity provider and completed the device verification step. Keeper is the only solution that seamlessly integrates with SSO solutions while providing Zero-Knowledge encryption.
In cyberwar, it is important to stay one step ahead of threat actors. Users who don’t take the time and effort to stay protected are the most likely to be victimized, so keep your passwords close – and your master passwords closer.