My buddy told me a 12-character password was overkill until he got hit by a credential stuffing attack

I've been telling my friend Mike for years to use a proper password manager and set up 2-factor authentication. He kept saying 'nobody cares about my Steam account' and used 'football98' for everything. Last month someone got into his email, then his bank, then his PayPal. Cost him about $400 before he noticed. He finally listened after that. Has anyone else had that one friend who just refuses until something bad happens?

2 comments

2 Comments

drew80526d ago

Dude, the "nobody cares about my account" mindset is insane to me because these attacks are completely automated. Bots aren't picking targets, they're just spraying stolen password lists at every login portal they can find. My cousin had the same exact attitude, used the same password for his gaming accounts, his work email, and his Amazon. His account got hit on some old forum leak, and then they used that to get into his Shopify store he ran on the side. Took him two weeks to get his seller account back and he almost lost his whole side business over a password he'd been using since high school. People don't realize that once your password is in one leak, it's basically public knowledge for every script kiddie out there.

skylerw8725d ago

Honestly, what people also miss is that these bots don't just hit the main login page. They'll try your email and password on a ton of random smaller sites you probably forgot you even signed up for. My buddy had an old Neopets account from like 2005 that got breached, and they used that password to try logging into his PayPal five years later. The bots are patient, they'll sit on those lists and try them everywhere until something sticks. Ngl, the real danger is how long the chain stays active once one password gets out.