Credential stuffing and password reuse: where identity controls fail

TL;DR: Credential stuffing reuses stolen usernames and passwords across multiple login systems, and 1Kosmos notes that 193 billion attacks were seen in 2020 alone, with fraud, account takeover, and further compromise following reused credentials. Password-first identity still breaks when attackers can automate valid login attempts at scale.

NHIMG editorial — based on content published by 1Kosmos: credential stuffing and how stolen credentials are reused across login systems

By the numbers:

• There were 193 billion credential stuffing attacks in 2020 alone.
• 1Kosmos verifies identity anywhere, anytime, and on any device with over 99% accuracy.

Questions worth separating out

Q: How should security teams reduce credential stuffing risk in enterprise environments?

A: Start by reducing reliance on reusable passwords, then add controls that make stolen credentials less useful.

Q: Why do reused passwords make credential stuffing so effective?

A: Because a reused password turns one breach into many possible login successes.

Q: What do organisations get wrong about CAPTCHA and password defense?

A: They often treat CAPTCHA and password complexity as if they solve identity assurance.

Practitioner guidance

• Enforce phishing-resistant authentication for high-risk access Move privileged and sensitive user flows away from password-only or password-plus-secondary-password designs and toward phishing-resistant methods that do not rely on reusable shared secrets.
• Block credential reuse at the policy layer Detect and deny known-compromised passwords at sign-in, then require reset and step-up verification before the account can be trusted again.
• Tune detection for automation-driven login abuse Set thresholds for failed attempts, geo-velocity anomalies, and session reuse patterns so automated testing of credentials is surfaced before account compromise succeeds.

What's in the full article

1Kosmos' full article covers the operational detail this post intentionally leaves for the source:

• A breakdown of the common password compromise paths, including database breaches, phishing, and brute force.
• A practical explanation of why secondary passwords are not the same as multi-factor authentication.
• A vendor walkthrough of passwordless authentication features and how they are positioned against credential stuffing.
• A discussion of the platform's identity proofing, SIM binding, and integration model for deployment teams.

👉 Read 1Kosmos' analysis of credential stuffing and password reuse risk →

Credential stuffing and password reuse: where identity controls fail?

Explore further

View Full Forum →  |  NHI Foundation Course →