Well, it is now World Password Day 2020, and not surprisingly passwords are still not dead. Since we will continue to live with passwords for the foreseeable future, here are some unorthodox tips on how to further protect your digital accounts from Account Takeover fraud.
Requirements: Password Manager, Custom email domain
The best way to protect your digital accounts is to never reuse the same password (as password reuse leads to Credential Stuffing attacks which leads to Account Takeover fraud). This recommendation can be taken a step further by never reusing the same Username.
In order to do this, you will need to register your own custom domain name. For example you may want to register something like “pizza-jungle-salad.xyz”. This will cost between $5-50/year depending on the domain and the Domain Registrar.
Now when you want to sign up for a new website you can use a custom and single-use username such as firstname.lastname@example.org. Make sure you save this unique username and password in your trusty Password Manager. For added convenience, you could also forward emails sent to *@pizza-jungle-salad.xyz to your real email inbox.
An additional bonus to this approach is you will be able to easily determine which website or organization has suffered a breach and has leaked your custom email address, or if that organization has sold your custom email address to advertisers.
Requirements: Password Manager
When data breaches occur, many times the Security Question & Answers or Password Recovery Questions are also part of the breach. This becomes a problem when you provide real information to questions such as “What is your mother’s maiden name?” or “What was the name of your high school mascot?” as fraudsters will be able to use this information to take over your accounts, or perform Social Engineering attacks.
Instead of providing your real information, enter something else (anything else) as long as you are tracking down the information you provide in your trusty Password Manager.
Requirements: Password Manager
Credential Stuffing attack tools use “Combolists” which are pairs of usernames and passwords in a consistent format.
Combolists are generally seen in the following format:
In many cases the character that signifies the end of the username and the start of the password is one of the following characters:
| (vertical bar)
(Above is a screenshot of a Credential Stuffing tool with “:” used a delimiting character)
Because these characters are used as delimiting characters, it can be beneficial to use a few of these characters in your password in order to disrupt the attacker’s process and toolkit. For example:
At a bare minimum this tactic will frustrate the attacker as he/she will need to perform some additional data grooming before launching the Credential Stuffing attack, and anytime you can slow down or frustrate an attacker is a good thing.
Here’s hoping that these tips will be useful and Credential Stuffing is not as hot a topic on World Password Day 2021!