New York Takes on Credential Stuffing and Passwords

In January, New York State Attorney General Letitia James announced the results of an investigation into credential stuffing, which is defined as:

“repeated, automated attempts to access online accounts using usernames and passwords stolen from other online services … It relies on the widespread practice of reusing passwords as, chances are, a password used on one website was also used on another.

In a typical credential stuffing attack, an attacker may submit hundreds of thousands, or even millions, of login attempts using automated, credential-stuffing software and lists of stolen credentials downloaded from the dark web or hacking forums. Although only a small percentage of these attempts will succeed, through the sheer volume of login attempts, a single attack can nevertheless yield thousands of compromised accounts.”

The investigation found that over one million accounts were compromised in cyberattacks at 17 well-known companies, including those in the online retail, restaurant, and food delivery sectors. Not a surprising outcome and it's been reported that credential stuffing will increase over the coming weeks.

According to the Attorney General’s alert, consumers are advised to strengthen their password security as follows:

• Never reuse passwords

  • Reusing passwords may be easy, but it comes at the cost of weakened security.

• Use a password manager

  • The easiest way to solve the challenge of remembering unique passwords. There are password managers that offer a fully featured free version across unlimited logins, passwords, and devices; are open source; and benefit from the constant feedback of a vibrant and engaged community of users.

• Enable two-factor authentication

  • This one extra step makes a big difference.

• Check regularly for unauthorized activities

  • Don’t rely on companies to contact you. Be proactive about monitoring unauthorized activities.

• Sign up for updates

  • The state recommends consumers sign up for a breach notification service like Have I Been Pwned, a useful service that is also part of the Bitwarden premium offering.

• Take suspicious activity seriously

  • Very rarely will something happen because of a “glitch.” Don’t brush off strange device or account behavior and unexpected account management emails. Change your password - or better yet, deploy a password manager to help you manage your affairs.

For a more detailed explanation of each recommendation, please view the alert.

The Attorney General’s clear and definitive guidance can help the average user adopt password security best practices. Clear directions like these are hard to come by - even from institutions that should know better, such as federal government agencies.

In early February, Bitwarden unveiled its State of Password Security: A report and assessment of security advice from U.S. Federal Agencies. The report seeks to engage and educate everyone who uses passwords on the best practices coming from the federal government, including places where there is room for improvement. It ranks agencies based on their adherence to certain password security criteria.

• Recommends use of a password manager

• Calls out importance of strong passwords

• Cites need for 2FA/MFA to further support password security

• Overall security advice is up-to-date and adheres to NIST guidelines

• Lays out password security recommendations in a clear, digestible, and easy-to-find manner

While agencies like the National Institute of Standards and Technology (NIST) fared very well, others such as the White House, the Department of Homeland Security, and the FBI, are less structured. Given the sometimes disjointed nature of government-issued password tips, the New York state Attorney General's common sense approach is refreshing and notable. It’s reminiscent of another standout agency, the Federal Trade Commission (FTC).

Have some thoughts on password policy advice from local, state, or federal agencies? Follow Bitwarden on Twitter to let us know.

Want to get started with a password manager today? Set up a free Bitwarden account right away, or sign up for a free trial so your business and colleagues can stay protected.