This article describes how Perkville helps protects against credential stuffing, and what you can do to secure your account
Last updated
Was this helpful?
Perkville helps protect your account from , a type of attack where previously-gathered credentials from other data breaches (at other products) are used in order to gain access to a different product. Why does this work? Because many users re-use the same passwords across multiple products and services.
The best way to protect yourself from credential stuffing is to use a password manager, such as iCloud Keychain or 1Password, to generate a secure, unique password at every product you or your staff use.
Perkville helps protect your account by, every time you log in, verifying that your password has not previously been implicated in a data breach at another company. How can we verify this? With the help of web application security expert Troy Hunt's (HIBP), a free and oft-updated database of passwords from known data breaches.
When you log in, we your password and send the first five bytes of the hash to HIBP's API. They return a list of matching hashes, and we look for a match to your hash. In this way, your password isn't sent to HIBP, but we are able to tell from HIBP if the password has appeared in a prior breach at another company (not Perkville!).
HIBP also returns the number of data breaches that have included each password, allowing us to generate a helpful message that includes that number.
These validation steps are sanctioned and by the Open Web Application Security project.
If you see a message like "Your current password has appeared in [ ] data breaches," all you have to do is follow the reset password flow and select a new password.
We strongly recommend using a password manager, such as iCloud Keychain or 1Password, to generate a secure, unique password for every product you use.
If you use that password on any other service, we strongly recomend updating those other service passwords as well.