What is credential stuffing and how does a unique password stop it?

Credential stuffing uses email-and-password pairs from data breaches to attempt logins on other services. If you reuse passwords, one breach compromises every account sharing that password. A unique randomly generated password per account means a breach of one site has zero impact on any other account. This is the primary defence against credential stuffing and is why the Credential Guard generates a new unique password for every account.

What is the Am I Safe? checklist?

The Am I Safe? checklist is a 5-step verification protocol displayed alongside the password generator. It teaches the checks users should complete before entering credentials anywhere: (1) verify the domain name is correct, (2) confirm HTTPS is present, (3) check whether your password manager autofills, (4) look for urgency manipulation tactics, and (5) navigate directly if uncertain. Completing all five steps before each login eliminates the majority of phishing risk.

Why is HTTPS not enough to verify a login page is legitimate?

HTTPS encrypts the connection between your browser and the server — it does not verify that the server belongs to the organisation you intend to reach. Phishing sites routinely obtain free TLS certificates (from Let's Encrypt) for their domains, displaying the padlock on a fake login page. The domain name must be verified independently of the padlock. A phishing site can have a valid padlock — the domain is what matters.

How does a password manager help detect phishing?

Password managers and browser autofill are domain-bound — they only offer to fill credentials on the exact domain where those credentials were originally saved. If you reach a phishing site (a different domain from the real one) and your password manager does not offer to autofill your credentials, this is a strong signal that the domain is wrong. This works even when the phishing page is visually perfect, because the check is technical rather than visual.

What is phishing-resistant MFA and which methods qualify?

Phishing-resistant MFA means the authentication credential cannot be captured and replayed by an adversary-in-the-middle attack. Only FIDO2/WebAuthn (hardware security keys and passkeys) meet this standard — the cryptographic challenge is bound to the origin domain, preventing authentication on any other site. TOTP authenticator apps, SMS OTP, and push notifications do not resist phishing — real-time AiTM attacks can forward these codes within their validity window.

What should I do immediately if I entered credentials on a phishing site?

Act immediately: (1) Navigate directly to the real site (type the URL) and change the password. (2) Revoke all active sessions in account security settings. (3) Check and restore any changed recovery email or phone number. (4) Enable or rotate MFA. (5) If financial credentials were involved, call your bank immediately using the number on the back of your card. (6) Report to NCSC at report@phishing.gov.uk and Action Fraud if financial loss occurred.

What is spear phishing?

Spear phishing is a targeted phishing attack where the attacker researches the victim specifically — using LinkedIn, company websites, social media, and breach data — and crafts a personalised email using the victim's name, role, colleagues, or current projects. Unlike mass phishing, spear phishing emails appear accurate and relevant. The same verification steps apply: verify the sender domain, check the URL before clicking, and navigate directly to any site rather than clicking email links.

How does credential stuffing differ from phishing?

Credential stuffing uses credentials the attacker already has from data breaches — testing them automatically against multiple services. Phishing actively collects new credentials by deceiving users into entering them on fake sites. Stuffing succeeds because of password reuse. Phishing succeeds because of deception. Unique passwords per account defend against stuffing. URL verification, phishing awareness, and FIDO2 MFA defend against phishing. Both defences together address the full threat landscape.

Is it safe to use the Credential Guard on this site?

Yes. All password generation uses crypto.getRandomValues() — the browser's CSPRNG backed by OS hardware entropy. Nothing is transmitted to any server. No passwords are stored anywhere by this site. Open DevTools (F12), go to the Network tab, clear existing entries, and generate a password — you will see zero network requests during generation. The site has no analytics, no tracking, and no advertising.

What is the golden rule for avoiding phishing?

Never click a link in an email to reach a login page. If an email says your bank, HMRC, Amazon, or any service requires action, navigate directly to the site by typing the address in the browser address bar. The phishing attempt ends the moment you navigate directly rather than clicking. This single habit, combined with unique passwords per account, eliminates the majority of phishing risk regardless of how convincing the email or page appears.

🛡️ Anti-Phishing Credential Guard

Know you're safe before you type.
Defend against phishing.

Generate strong unique passwords and learn the 5-step verification protocol that stops phishing before credentials are ever entered. Trusted by users who've been targeted — and by those who never want to be.

🛡️ Open Credential Guard Detect fake pages →

🎣

THREAT

PhishingFake login pages capture credentials in real time. 91% of cyberattacks start with a phishing email — NCSC 2025.

🔄

THREAT

Credential StuffingBreached passwords tested automatically across services. One reused password = every account at risk.

✅

The DefenceUnique generated passwords + 5-step login verification. Independently defeats both attack types.

🛡️ SOP-07 — Phishing-Aware Credential Guard

Generate · Verify · Stay safe

Client-side CSPRNG only
Zero transmission to any server

🛡️ trustypassword.com — credential guard

Standard20 chars

Email+4 chars

Social+2 chars

Work+4 chars

Banking+6 chars

Generate a password →

— — —

Length

Characters

A–Z a–z 0–9 !@#

          ✓ crypto.getRandomValues() — OS hardware entropy

          ✓ Zero network requests during generation

          ✓ Nothing stored by this site

Am I Safe? — 5-step protocol

complete before entering credentials anywhere

0/5

Tick each step before logging in anywhere

1. Domain verified
Read the address bar carefully. The root domain — before the first / — matches exactly what you expect, character by character.

2. HTTPS confirmed
The URL starts with https:// not http://. A padlock confirms encryption — not that the site is legitimate.

3. Password manager autofills
Your manager offered to fill credentials automatically — it only does this on the exact saved domain. No autofill = possible phishing.

4. No urgency tactics
"Act now or your account closes." Urgency is the primary phishing lever. Legitimate services don't require instant action via email link.

5. Navigated directly
You reached this page by typing the address or using a bookmark — not by clicking an email or SMS link.

💡 Golden rule: Never click an email link to reach a login page. Always type the address directly.

Why Trusty Password

Two threats. One coordinated defence.

The Credential Guard addresses both primary attack vectors simultaneously — the unique password defeats stuffing, the verification protocol defeats phishing.

🎣

Phishing awareness built in

The Am I Safe? checklist teaches the 5 verification steps alongside every generated password — building habits, not just credentials.

🔄

Credential stuffing defence

Each generated password is unique — a breach of any one site cannot compromise another account sharing a different password.

🔐

Password manager integration

Store generated passwords in a password manager. Autofill becomes your phishing detector — the manager won't fill on a fake domain.

📊

Phishing-resistant MFA guide

Learn which MFA methods actually resist phishing (FIDO2) and which don't (TOTP, SMS) — a critical distinction most guides miss.

MFA Phishing Resistance

Not all MFA protects against phishing

Real-time adversary-in-the-middle (AiTM) attacks can bypass TOTP, SMS, and push notification MFA. Only FIDO2/WebAuthn is categorically phishing-resistant.

MFA Method	Phishing-resistant	SIM swap-resistant	Why	NIST AAL
FIDO2/WebAuthn hardware key	✓ Yes	✓ Yes	Cryptographic origin binding — cannot authenticate on wrong domain	AAL3
Passkeys	✓ Yes	✓ Yes	Same origin binding, platform-managed	AAL2–3
TOTP authenticator app	✗ No	✓ Yes	6-digit codes forwardable in real-time AiTM attacks	AAL2
Push notification (Duo, MS)	✗ No	✓ Yes	MFA fatigue attacks — user approves under repeated prompts	AAL2
SMS OTP	✗ No	✗ No	Forwardable + SIM swap + SS7 interception	AAL1
Email OTP	✗ No	✗ No	Forwardable + requires email account not compromised	AAL1

Source: CISA Implementing Phishing-Resistant MFA · NIST SP 800-63B 2025

Complete Your Defences

Tools that strengthen the full protection stack

ℹAffiliate disclosure: Some links earn a small commission at no cost to you. We only recommend tools with genuine security merit. Full disclosure →

🔑 YubiKey 5 Series

FIDO2/WebAuthn hardware security key — the only MFA method that is cryptographically phishing-resistant. Used by Google, the UK government, and GCHQ-affiliated organisations. Works with Gmail, Outlook, GitHub, and most major services.

Shop YubiKey →

🗝️ 1Password

Independently audited password manager with phishing detection built in — the autofill system is domain-bound and alerts when you visit a site that differs from where credentials were saved.

Try 1Password →

🛡️ Proton Mail

End-to-end encrypted email reduces phishing risk from the platform side. Zero-knowledge architecture means email contents are not accessible to Proton even under legal request. Available with custom domain.

Try Proton →

About

Written by a cybersecurity awareness trainer

The guides and Credential Guard on this site are written by Sophie Laurent, a cybersecurity awareness trainer who has designed and delivered security awareness programmes for FTSE 250 companies, NHS trusts, and public sector organisations across the UK. Sophie specialises in translating technical threats into actionable guidance that non-technical employees and individuals can actually apply.

All content aligns with NCSC phishing guidance, CISA phishing-resistant MFA recommendations, and NIST SP 800-63B 2025.

About Sophie Laurent →

Trust Signals

✅

NCSC & CISA alignedAll guidance follows NCSC phishing guidance and CISA phishing-resistant MFA recommendations.

✅

Client-side CSPRNGcrypto.getRandomValues() exclusively. Zero transmission. Verify in DevTools.

✅

No tracking or analyticsZero advertising, zero fingerprinting, zero telemetry on this site.

✅

UK operatedKokal Operations Ltd, England & Wales. UK GDPR compliant.

FAQ

Frequently asked questions

Credential stuffing uses email-and-password pairs from data breaches to attempt logins on other services. If you reuse passwords, one breach exposes every account sharing that password. A unique generated password per account means a breach of one site has zero impact on any other — the most important single habit in account security.

A 5-step verification protocol to complete before entering credentials anywhere: (1) verify the domain name, (2) confirm HTTPS, (3) confirm password manager autofills, (4) check for urgency manipulation, (5) confirm you navigated directly rather than clicking an email link. Completing all five steps before each login eliminates the majority of phishing risk.

HTTPS encrypts the connection but does not verify that the server belongs to the organisation you intend. Phishing sites routinely obtain free TLS certificates — the padlock appears on fake login pages. The domain name must be verified independently of the padlock. Always check the root domain, not just the presence of HTTPS.

Only FIDO2/WebAuthn hardware keys and passkeys are cryptographically phishing-resistant — the credential is bound to the origin domain and cannot authenticate on any other site. TOTP, SMS OTP, push notifications, and email OTP do not resist phishing — real-time AiTM attacks can forward these codes within their validity window. CISA's guidance explicitly names FIDO2 as the standard for phishing-resistant MFA.

Act immediately: (1) Navigate directly to the real site and change the password. (2) Revoke all active sessions. (3) Check recovery email and phone haven't been changed. (4) Enable or rotate MFA. (5) If financial credentials, call your bank immediately. (6) Report to NCSC at report@phishing.gov.uk. See our full phishing response guide →

Password managers are domain-bound — they only autofill credentials on the exact domain where they were originally saved. On a phishing page (a different domain), the manager won't offer to fill. No autofill appearing for a site where you have saved credentials is a strong phishing signal. This works even when the fake page is visually perfect.

Never click a link in an email to reach a login page. If an email says your bank, HMRC, Amazon, or any service requires action, navigate directly to the site by typing the address in a new browser tab. The phishing attempt ends the moment you navigate directly rather than clicking. This single habit, combined with unique passwords, eliminates the majority of phishing risk.

Yes. All generation uses crypto.getRandomValues() — the browser's CSPRNG backed by OS hardware entropy. Nothing is transmitted to any server. No passwords are stored by this site. Open DevTools (F12) → Network → Clear → Generate to verify zero requests during generation.

All content aligns with NCSC Cyber Aware guidance, the NCSC Suspicious Email Reporting Service (report@phishing.gov.uk), NCSC guidance on phishing-resistant MFA, and CISA's Implementing Phishing-Resistant MFA factsheet. The Am I Safe? protocol is derived from NCSC login page verification guidance.

Spear phishing is a targeted attack where the attacker researches you specifically — using LinkedIn, company websites, and social media — to craft a personalised email. Unlike mass phishing, spear phishing emails contain accurate personal details and are significantly harder to spot. The same 5 verification steps apply: verify the domain before entering credentials regardless of how convincing the message.