What Is Credential Stuffing (and How to Stop It)
Credential stuffing is one of the most common and effective attacks on personal accounts, and it works for one reason: people reuse passwords. Understanding it makes the case for unique passwords more concrete than any abstract advice ever could. Here is how the attack works and exactly how to stop it.
How credential stuffing works
The attack is mechanical:
- A website is breached, and attackers obtain a list of email-and-password pairs.
- They feed that list into automated software.
- The software tries each pair against many *other* sites — banks, email providers, shops, social networks.
- Wherever someone reused the same email and password, the login succeeds, and the attacker takes over that account.
The name comes from "stuffing" stolen credentials into login forms at scale. Attackers can test millions of combinations cheaply, so even a small reuse rate yields many compromised accounts.
Why it is so effective
Credential stuffing does not crack or guess passwords — it reuses ones that already work somewhere. It exploits a purely human habit: using the same password across sites because remembering unique ones is hard. As long as that habit exists, breaches at unrelated sites keep cascading into compromised accounts elsewhere. It is also why a breach at a trivial site you forgot about can endanger your email or bank.
The one defense that actually stops it
Credential stuffing has a single, complete countermeasure: use a unique password for every account. If each account has its own password, a pair leaked from one site simply does not work anywhere else. The attack collapses.
The challenge is that nobody can remember dozens of unique passwords — which is exactly why password managers exist. A manager generates and stores a unique strong password per account, so uniqueness becomes effortless. See how to stop reusing passwords and what is a password manager.
A strong second layer: 2FA
Even with unique passwords, enabling two-factor authentication adds insurance: if a password is ever exposed, the attacker still cannot log in without your second factor. Credential stuffing tools fail against accounts protected by 2FA. See 2FA vs password manager.
What to do today
- Stop reusing passwords. Give every account its own, using a manager.
- Check whether your passwords have leaked with the password leak checker, and rotate any that appear.
- Turn on 2FA for important accounts.
On a Mac, Passlock makes the first step easy by generating and storing unique passwords offline in the Keychain. With unique passwords plus 2FA, credential stuffing — the attack that powers a huge share of account takeovers — simply stops working against you.
The lesson is blunt: reuse is the vulnerability, and uniqueness is the cure. Credential stuffing is only dangerous to people who reuse passwords.
Frequently asked questions
How is credential stuffing different from password cracking?
Cracking tries to guess or compute a password. Credential stuffing skips that by reusing passwords already leaked from a breach, testing them across many sites to find where they still work.
How do I protect myself from credential stuffing?
Use a unique password for every account so a leaked pair works nowhere else, and enable two-factor authentication so a leaked password alone is not enough.
Keep reading
How to Stop Reusing Passwords for Good
Reusing one password everywhere turns a single breach into a chain reaction. Here is the realistic way to stop.
How to Tell If Your Password Was Leaked
Billions of passwords sit in breach databases. Here is how to check whether yours is one of them — without exposing it.
2FA vs Password Manager: Do You Need Both?
It is not either-or. A password manager and 2FA defend against different attacks. Here is how they complement each other.