Credential stuffing attacks, in which attackers automate numerous attempts to compromise a large number of user accounts with stolen passwords, are rising exponentially.
New figures from Auth0 claim that despite credentials threats rising, the use identity management tools, or other security systems designed with minimizing the risk of attack often get deprioritized.
In the first 90 days of the year, Auth0 has found, credential stuffing took up 16.5% of all attempted login traffic on its platform. At the end of March, the figure peaked at more than 40%. The two industries bearing the brunt of these blows are travel & leisure, and retail.
- Here’s our list of the best business password managers right now
- We’ve built a list of the best identity theft protection on the market
- Check out our list of the best security keys available
Approximately 15% of all attempts to register a new account, Auth0 has further discovered, can be attributed to bots. In the same timeframe of 90 days, Auth0 has seen more than 26,000 breached passwords every day. On the most peaceful of days, there was “only” 7,300 breached passwords, while the record-breaking February 9 saw more than 182,000.
There could be many reasons to deprioritize security measures, including budget constraints, lack of resourcing, or a lack of attention from the upper echelons of management.
Password a "protective measure from the past"
Besides credential stuffing, which Auth0 claims is the most common threat these days, criminals will often go for fraudulent registration, multi-factor authentication bypass methods, as well as breached password usage.
For Duncan Godfrey, VP of Security Engineering at Auth0, businesses are part of the problem as failure to protect data is “industry-wide”. With criminals expanding their arsenal of automated tools by the hour, and security teams not having a proper horse for the race, the “humble password is a protective measure from the past,” he claims.
In today’s world, relying on passwords for security is a risk in itself.
“Despite ongoing guidance around proper password creation and repeated warnings against password reuse, consumers crave convenience and continue to use the easiest and most convenient path for application access,” said Shiv Ramji, Chief Product Officer at Auth0.
“A passwordless future is largely being driven by two primary forces — security and convenience. Companies want to secure the vulnerabilities that come with passwords, and they also want to offer their users a better digital experience.”
- Here's our rundown on the best password generators right now
