Password protection, the key to users’ online security

We live in a post-breach world and the list of big-name brands and smaller organisations compromised by hackers grows longer each passing week. With each breach, customer usernames and passwords flood onto the dark web and even if these credentials are encrypted, it is often no barrier to the resourceful cyber-criminal.


Top tips for users
So, what you do to help protect yourself? The good news is, with a few simple steps, you can help reduce your risk exposure. First – never use the same password on multiple sites, even if you use a different username for each. Second – if a website you visit has been breached, change your log-in details as soon as possible. Third – if any websites you use (especially key sites like email, social media and banking) offers Multi-Factor Authentication (MFA), then sign-up. Options such as securID tokens and one-time-passcodes offer another layer of protection and are particularly effective at stopping credential stuffing.

Another option is to use a password manager like KeePass or LastPass to securely store your credentials. This will make it easier to choose a complex password for each site you visit without having to remember it. According to Digital Guardian – the average internet-user* has over 90 passwords to keep track of, a figure rising to 190 for the average business user** according to Security Magazine


How can my business help?
Business large and small can also play their part. Even after investing in cyber security tools and compliance efforts, they may still not be impervious to credential stuffing. That’s why many are taking additional steps such as comparing known stolen credentials from other breaches with their own customer/user base. They’re effectively performing a credential-stuffing attack against themselves. And if any matches come up, they force the user to change their credentials immediately. Others may look to block suspicious traffic performing the credential stuffing, for example by checking for botnet activity which is often linked to these attacks.

MFA should also be a given. There are many affordable solutions and some even free-of-charge like Google Authenticator, and relatively easy to implement. If you are unfortunate and suffer an attack you can limit the impact by responding as quickly as possible. Blocking bad IPs, adding or changing CAPTCHAs, geofencing authentication pages, resetting customer accounts and, in some cases, disabling log-in activity temporarily can all help.

Ultimately, the only thing that stands between a user and an otherwise secure site is often their username and password. You have the power to ensure that your password is as unique, complex and secure as possible.  For more information about how Worldpay can help your business visit



Related articles