Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Credential stuffing and password reuse: what do teams need to change?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10141
Topic starter  

TL;DR: Credential stuffing remains effective because attackers can automate millions of login attempts against reused credentials, and New York’s attorney general found more than one million accounts compromised across 17 well-known companies, according to Bitwarden. Password policy alone is not enough when account takeover can scale faster than user behaviour changes.

NHIMG editorial — based on content published by Bitwarden: State of Password Security and the New York Attorney General's credential stuffing alert

Questions worth separating out

Q: How should security teams reduce credential stuffing risk across user accounts?

A: Teams should reduce credential stuffing risk by combining unique-password enforcement, phishing-resistant MFA, rate limiting, bot detection, and alerting on abnormal sign-in patterns.

Q: Why does password reuse still matter if MFA is enabled?

A: Password reuse still matters because MFA coverage is rarely universal, and some sessions, device flows, or helpdesk processes can be abused around it.

Q: What do security teams get wrong about credential stuffing?

A: Many teams treat credential stuffing as a consumer behaviour problem when it is also an identity control problem.

Practitioner guidance

  • Eliminate password reuse at the identity source Require unique passwords through approved password managers and remove exceptions that allow memorised reuse for privileged or high-risk accounts.
  • Enforce MFA where credential stuffing is most profitable Prioritise phishing-resistant MFA for remote access, administrative accounts, and any account that can initiate payments, data export, or policy changes.
  • Instrument sign-in telemetry for automation patterns Detect rapid retry bursts, distributed login attempts, impossible travel, and repeated failures followed by success.

What's in the full article

Bitwarden's full article covers the practical password security advice and report context this post intentionally leaves at the source:

  • Agency-by-agency scoring and the criteria used to rank federal password guidance
  • The full set of consumer recommendations, including password managers, 2FA, and breach alerts
  • The detailed assessment of where federal advice aligns with NIST guidance and where it falls short
  • Practical examples of how to interpret the New York Attorney General's alert in day-to-day account security

👉 Read Bitwarden's assessment of password security guidance and credential stuffing →

Credential stuffing and password reuse: what do teams need to change?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9696
 

Password reuse remains a systemic identity control failure, not a user education issue. Credential stuffing succeeds because organisations still rely on secrets that users can copy, reuse, and leak outside the enterprise boundary. The control gap is the assumption that password rules alone can preserve account assurance after credentials have already escaped elsewhere. Practitioners should treat reuse as an identity lifecycle problem, not a messaging problem.

A question worth separating out:

Q: Who is accountable when credential stuffing leads to account takeover?

A: Accountability typically sits with the organisation that controls the authentication system, because it owns the risk decisions around MFA, password policy, detection, and abuse response. Regulators and auditors increasingly expect documented controls for access management and incident handling. For sensitive accounts, the relevant standard is not whether the user behaved perfectly, but whether the organisation made takeover materially harder.

👉 Read our full editorial: Credential stuffing shows why password reuse still breaks account security



   
ReplyQuote
Share: