If the cyber criminals hack an Account, you can do a lot of mischief. But not always, the damage is limited to an Online service. How do you protect against Credential Stuffing.

Hanover (dpa/tmn) – Who wants to protect his account, should be creative – so for each service use a different password. The technology magazine “c’t”, in its current issue (12/20) advises. Otherwise, cyber criminals have an easy game.

users to Use only one password for different services, Criminals can spy on the login data, and for all Accounts. Often this is not recognized by the operators of the Online services, the scammers use the access data of a normal user.

Usual defense mechanisms fail

The captured log-in data often serve as the Basis for further attacks, experts speak of Credential Stuffing. Often, the scammers use botnets, in addition to enter the Login-data from any number of IP addresses.

Integrated defense mechanisms fail often. According to the data of the “c’t” does not relieve the operator of a service, but not your responsibility. You should at least try such attacks to detect and block. After all, as more and more services offer Two-factor authentication. According to the “c’t” a good protection against the access of strangers to your own Account.


protect to create a secure password, advises the Federal office for information security (BSI) to a minimum of eight characters and a mix of special characters, Numbers, Uppercase and lowercase letters As a General rule: The longer the combination, the better.

Want to protect users, the experts recommend “c’t” a password Manager such as KeePass. This offers two advantages: It safely stores the access data and generated for each new service a new, sufficiently secure password.

in Addition, they recommend to check the user whether a password has already been cracked – this is possible, for example, at the Hasso-Plattner-Institute about the Identity Leak Checker.

HPI: Identity-Check