Blog: Passwords

Password stuffing: How to avoid breaches from password re-use

Ken Munro 30 Nov 2016

pwstuffConvincing your online retail team to implement 2SV

Given the flurry of high profile customer account ‘hacks’ in the press recently, I thought it worthwhile summarising the various options that online retailers have for preventing this.

The National Lottery, Uber, Tesco Clubcard, and many others have had accounts compromised as a result of password re-use. Customer uses the same password in various places- websites A, B, C, and D.

Site A is breached, credentials are stolen and published. The attacker simply takes the credentials and tries them on multiple other sites, including A, B, and C.


Through the customer’s complacency, their accounts are being compromised and the retailers involved are getting bad press. So, what can retailers do better?

Solve the problem at source

Encourage customers to use password managers. This has been covered many times elsewhere, but why not promote a free password manager on your web site near the login form? Set up a relationship with a password manager vendor, you might even generate some incidental revenue from this!

However, it’ll take more than that to change customer behaviour! So how about this:

2SV – one-time SMS verification

Two step verification (2SV) adds a really important layer of protection. Without having compromised or spoofed the customer’s phone, it’s much harder for an attacker to compromise their online account.

No SMS = No login

Your ecommerce/marketing team may resist. Yes, it does add a one-time layer of complexity to the buying process, but it won’t have any impact on the search engine performance of the site.

If you meet opposition, ask teams that have suffered ‘breaches’ from password re-use if their brand was damaged by the incident.

Also, bear in mind that, once a device (phone, tablet, desktop etc.) is authorised through 2SV, the consumer doesn’t need to go through the process again unless they use a new device, or they want to do 2SV on every login.

Finally, you also capture your customers phone number. That may be useful to you for customer communications in future.

How about doing something really interesting: Incentivise 2SV

Breaches damage your reputation and cost you money. Why not offer customers a DISCOUNT for going through 2SV first time?

MailChimp started offering a 10% discount for customers that set up 2SV recently. I strongly encourage this – it is a clear demonstration that you’re serious about customer data security, and that is a seriously strong message in these times of high profile breaches.


Assuming you have a cyber liability insurance policy, have a chat with your broker and underwriter. In my experience, if you can show 2SV in widespread use by your customer base, you can probably negotiate a discount on your premium, as you’ll be a lower risk.

Get proactive: Check public breach data for password re-use is an amazing resource; Troy Hunt collates breach data and now offers an API.

Check your customer email addresses using this web service. If you get a positive hit, where a customer email address shows up as having been in a breach, seriously consider resetting their password.

It’s harder to find the actual breached password lists, but if you get a hit from the above API and the breach data is publicly available, consider comparing the hashes to those that you’re storing for that customer. Hopefully you’re salting, so the chance of a direct match is low, particularly if different hash algorithms are in use. Consider instead cracking the hash and then running it through your own user password hashing system.

Get a match? Blat that password and alert the user.

Validate your customers passwords better too

One easy fix would be to hash some popular password lists (such as those on and compare with your customer hashes. Any matches? Reset the password and tell your customer.

How about behavioural metrics?

If you have location data for the customer (e.g. mobile phone) then it would be very odd for an order come from two different locations within a short space of time.

What about delivery addresses? Depending on what you deliver, use of multiple addresses may be very unusual too

Spiky ordering habits may also be unusual too. Is the customer having a party, or are you being ripped off?

Watch out for exceptions to normal process

Putting a clever biometric profiling tool in your mobile app can be really great. Authentication by selfie, typing habits etc. etc. sounds great. But what about when the customer decides to order using your web site instead? No clever biometrics any more, so you have to offer a bypass. That’s what the hacker will exploit…

Customers don’t care: It’s your fault that they re-used passwords!

When under pressure from bad coverage in the press most retailers will refund the consumer. That’s an expensive and brand-damaging process.

It will take time for consumers to change their behaviour to the point where they take more care of their security. In the meantime, you need to do everything possible to create a defensible authentication process that is resistant to password re-use.