back to article Credential-stuffers enjoy up to 2% attack success rate – report

Hackers achieve a success rate of 0.1 to 2 per cent when reusing stolen credentials to access other sites, according to a new study by Shape Security. More than three billion credentials were reported stolen worldwide in 2016, with 51 companies admitting a breach. These stolen credentials are routinely abused by cybercriminals …


    Aha - for once somebody correctly stating that it's the user-name/password combination reuse...

    ... that's the problem. This is ANOTHER reason why 'your email is your user-name' is a Bad Idea.

    1. Lotaresco Silver badge

      Re: Aha - for once somebody correctly stating that it's the user-name/password combination reuse...

      Yes, a good point, well made. Have an upvote.

    2. Lee D Silver badge

      Re: Aha - for once somebody correctly stating that it's the user-name/password combination reuse...


      My emails are all

      And if you try to fake an initial username or guess one, you better know my rules for calculating the number that goes at the end of the username or it will fail verification and be blocked as spam.

      In and of itself, the email address is not a problem. It's just a username after all. And we assume that people use usernames that you can work out. This is why your fingerprint is also only a username, too.

      But any authentication is based on something only you have (a username, an email link, a security token, a fingerprint, etc.) to say who you are trying to be, and something only you know which can be changed at will only by you (a password) to prove you are actually them. Pretending that there's any security in just the first is a nonsense.

      The problem is - as always - password re-use alone. And that can be solved by standard, already existing security procedures.

      Telling people they have to have a unique username just puts you back in the "What the hell was my unique login for this service because it wouldn't let me have any of my usual ones" trap where to find it out you have to reset the password which, generally, needs your email address.

      All that really matters is that you have entropy (a good password), not where it is spread across (combination of username and password). But most people still use stupid passwords (8-character, entire-ASCII-set password is HALF AS STRONG as a 10-character alphabetical password).

      Every extra character in your password multiplies its strength by the size of the alphabet (e.g. 26 / 52 / 255).

      Every extra symbol in your alphabet increases its strength by 1 DIVIDED BY the size of the alphabet.

      Long, "easy" passwords are much better than anything we enforce as an industry standard.

      And if you're suggesting unique passwords for every service, you want something people stand a chance of remembering, or securing a list with one INCREDIBLY strong password.

      And password re-use is not an issue if the services that you reuse passwords on have no more access than the other services that use that same password. My Register password won't let you log in to my bank, and my Amazon password won't let you into my servers. But the Reg password might well, for example, allow you to post on other forums that also have no personal information of mine on them. Big whoop.

      Strong passwords. Multiple levels (rubbish to this "everything unique" stupidity, it shows a complete misunderstanding of the human machine, and what you're trying to achieve).

      Pretty much, nothing else matters.

    3. Paul Crawford Silver badge

      Re: Aha - for once somebody correctly stating that it's the user-name/password combination reuse...

      Email as user-name may be a bad idea in terms of re-use, but it has two great advantages:

      1) Users remember it

      2) It is, by definition, unique. So they only have to go though the hassle of "johndoe123", nope that names is taken, OK then "johndoe124", process the once.

      The practice of checking against known easy or spilled passwords is a good idea, as is allowing long passwords that are phrases (and checking for horses & staples as well).

  2. Lotaresco Silver badge

    Choosing a password

    It should be fairly easy. Nothing on a list of compromised credentials. Nothing with more than two repeated characters, reasonably long (at least nine characters) but permitted to be very long (255 chars?), read XKCD, some guidance on memorable passwords, stop trying to insist that people use "special" characters and random passwords because they only way they can use those is to write them down. SpandauGold45 is a perfectly good, strong password but many sites won't accept it the same sites will accept 12345! because their rules state that a special character makes a strong password.

    And, possibly, supply a password generator that applies these rules and suggests a password to the user. Render the password into a bitmap and present that to them, rather than the text.

  3. David Nash

    "Special" characters...

    ...are only special to a human, so are only a defence against a human trying to guess your password.

    To an automated brute force attack, $, ! and the like are just more characters. No reason to mandate them that I can see.

    1. Mage Silver badge

      Re: "Special" characters...

      1) all lower case = 26

      2) all upper case

      3) both = 52

      4) add numbers = 62

      5) add others (approx 36) = 98 characters.

      Length 8 or more.

      MUCH harder for a machine brute force. if you are level 5 rather than level 1 or 2. They try 1 & 2 first.

      They try dictionary words, then with suffixed digits, then with like 4 replacing A and 1 replacing l etc...

      I'd rather that they have to try all 98+ possible characters in each of 8 to 10 positions, than 26 in 6 positions.

      You ought to be able to use ç ß ð Ð á é í ó ö etc too, but some programmers seem to believe in 7 bit ASCII

  4. Anonymous Coward
    Anonymous Coward

    Rembering passwords wouldn't be a problem, if...

    Everyone stopped telling people they need an unique complex password for every shitty website they visit that insists an account/login is a necessity.

    The people is see in daily life only have room for a few easy recall passwords, therefore they should be used for important sites like those linked to your money and the email accounts you use that allow password resets.

    If a site insists on storing personal info or credit card details, log back in after paying and make the data inaccurate.

    My reg pass would be pretty easy to crack, go ahead and post something terrible as me, see if I care.

  5. Mage Silver badge


    I'm amazed it's not much more than 2%.

    It's simple, write ALL email, website, username, passwords in an address book NEVER kept with computer / phone / tablet. Somewhere secure that's accessible when you are dead.

    Let the password manager on OS / Browser/email etc remember all the stupid site logons, not any involving money. Use a master password.

    I memorise two passwords and 3 PINs. My usual laptop login, my master password and PIN for three pieces of plastic. These are written down somewhere safe. I might get knocked down or mugged even putting out the bin.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021