Credential stuffing: How 1Password protects you against it

Few things are scarier than getting an email about someone trying to log into one of your accounts. Doubly so when that account is for your password manager.

The good news is that by using 1Password, you’re already protected against the most common type of cyberattack that triggers these emails: credential stuffing.

What is credential stuffing, and how does it work?

Modern cyberattacks rarely involve actual hacking.

It’s become easier and more effective to simply use credentials stolen from data breaches without wasting time trying to crack individual passwords. Hackers use specialized software to make login attempts against popular web services using those stolen credentials on a massive scale. This type of attack is known as credential stuffing.

By now, we’ve all learned that data breaches are a fact of life online. In 2021, they were at least 17% more prevalent compared to 2020, which means there are many more stolen or leaked credentials available for bad actors to use in their attempts.

Adversaries are relying on the fact that many people re-use their passwords across multiple accounts. If a password from a relatively unimportant account – say your favourite site for sharing cat photos – is obtained through a data breach, they can attempt to use that same username/password combination to access your social media accounts, work software, and even online banking.

In general, credential stuffing attacks are like spam email: they operate on a huge scale but rarely produce results. Some estimates suggest credential stuffing results in successful account access only 2% of the time. But when you consider that a single data breach can contain 1 million user credentials, that still means 20,000 compromised accounts.

How 1Password protects against credential stuffing attacks

A successful credential stuffing attack relies on two things:

1. Access to stolen or leaked credentials from a data breach.
2. People re-using their passwords across multiple sites.

As individuals, there isn’t much we can do to prevent our credentials being leaked or stolen when a service we use suffers a data breach.

Luckily, we can address the second point easily by using 1Password to generate strong, unique passwords for each account we use. That way, even if an attacker uses stolen credentials to access one account, they can’t use that same password to gain access to anything else – because you’ve only used it in one place.

Of course, that still leaves the question of your 1Password account itself; what happens if someone were to guess or obtain your account password? 1Password’s security model is carefully designed not to rely on any single point of failure, so the short answer is: nothing.

Here’s how it works.

Three things are required to decrypt your data:

1. Your account password (the artist formerly known as “Master Password”).
2. An additional encryption ingredient known as the Secret Key.
3. The encrypted vault data itself.

Only you know your account password, and your Secret Key is generated locally during setup. The two are combined on-device to encrypt your vault data and are never sent to 1Password.

Only the encrypted vault data lives on our servers, so neither 1Password nor an attacker who guesses or steals your account password would be able to access your vaults.

When you sign in to your 1Password account, your information is further protected by a unique communication system that ensures neither your account password or Secret Key are ever sent over the network.

Industry-standard Transport Layer Security (TLS) provides a first line of defence, but we’ve bolstered it with a custom protocol known as Secure Remote Password (SRP). With SRP, another encryption key generated on-device protects your information in transit even if someone manages to decrypt TLS.

Furthermore, this encryption key is different for each session, so an attacker who manages to record one authentication session won’t be able to use that information to make an intrusion attempt.

SRP also proves to the server that the 1Password app has a secret that can only be derived using the correct account password and Secret Key. Similarly, it proves to the 1Password app that the server has the correct verifier, which guarantees the connection is with the genuine 1Password server and not an impostor.

Simply by using 1Password, you’re already going above and beyond to protect yourself.

How to protect yourself from credential stuffing

Be proactive about your online safety by keeping these simple guidelines in mind:

1. Always use 1Password to generate strong, unique passwords for every account
2. Make sure your account password for 1Password.com is sophisticated, memorable, and not used for anything else
3. Close old accounts you don’t need anymore; with fewer accounts, you’re less likely to be involved in a data breach

1Password also provides additional capabilities for those who want to further lock down their secrets:

1. Set up two-factor authentication for any accounts and websites that support it. This provides an additional layer of defense that can save you in the event that someone manages to obtain your password for those accounts, whether from a data breach or any other method.
2. Let Watchtower act as your personal security guard, helping you identify weak or reused passwords and optionally monitoring your account for credentials that have been involved in a data breach. If any of your accounts are compromised in a breach, you’ll receive a notification so you can reset those passwords before anyone has a chance to abuse them. You can also use Watchtower to see which sites you haven’t activated two-factor authentication for yet.

Staying safe online doesn’t have to be complicated or confusing. With 1Password, you benefit from better security without the hassle.

Marius Masalar

Manager, Content