Model Inputs
Use realistic attack, control, and cost assumptions. The calculator updates on submit and places the result above this form.
Formula Used
1) Exposed Reused Accounts
Exposed Reused Accounts = Exposed Credentials × Credential Reuse Rate
This estimates how many accounts may still match passwords already circulating in breach collections.
2) Attack Coverage
Attack Coverage = min(1, (Login Attempts ÷ Attempts per Account) ÷ Total Accounts)
Coverage shows how much of the user base the automated campaign can realistically touch.
3) Effective Success Rate
Effective Success Rate = Base Success × (1 − Detection) × (1 − Lockout) × (1 − MFA Coverage × MFA Stop Rate)
Controls reduce successful takeovers after the attacker reaches candidate accounts.
4) Expected Compromised Accounts
Expected Compromised = Exposed Reused Accounts × Attack Coverage × Effective Success Rate
This is the main operational estimate for likely successful account takeovers.
5) Total Loss
Total Loss = ((Compromised × Account Value × Sector Multiplier) + (Compromised × Reset Cost) + Fixed Response Cost) × Reputation Multiplier
This blends direct monetary exposure with support effort and wider recovery impact.
6) Risk Score
Risk Score = Weighted exposure + attack pressure + control gap + success + impact
The score ranges from 0 to 100 and classifies conditions as Low, Moderate, High, or Critical.
How to Use This Calculator
- Enter your estimated total account population.
- Add the number of exposed credentials known in breach lists.
- Estimate how often users reuse passwords across sites.
- Model the attacker campaign using login attempts and attempts per account.
- Set the uncontrolled success rate for reused valid credentials.
- Fill in MFA coverage, MFA stop rate, bot detection, and lockout strength.
- Enter direct financial value, support cost, and fixed response cost.
- Choose a sector multiplier and reputation multiplier for broader impact.
- Press Calculate Risk to see the result above the form.
- Use the CSV or PDF buttons to export the current result summary.
Example Data Table
| Scenario | Total Accounts | Exposed Credentials | Reuse Rate | MFA Coverage | Detection Rate | Expected Compromised | Risk Level |
|---|---|---|---|---|---|---|---|
| Low control gap | 50,000 | 8,000 | 12% | 85% | 78% | 14 | Low |
| Growing exposure | 120,000 | 24,000 | 20% | 55% | 50% | 287 | Moderate |
| Weak protection | 200,000 | 60,000 | 28% | 35% | 32% | 1,813 | High |
| Critical campaign | 350,000 | 120,000 | 32% | 18% | 16% | 7,140 | Critical |
Frequently Asked Questions
1) What does this calculator estimate?
It estimates credential stuffing exposure, likely compromised accounts, takeover rate, expected loss, and an overall risk score from your attack and control assumptions.
2) Why is credential reuse important?
Credential stuffing works when users reuse passwords across services. Higher reuse means more breached credentials remain valid on your platform.
3) How should I estimate base success rate?
Use historical attack telemetry, red team results, or vendor benchmarks. It represents success before blocking, throttling, and MFA reduce attacker progress.
4) Does MFA always stop credential stuffing?
No. MFA sharply lowers takeover risk, but incomplete coverage, weaker factors, session theft, and prompt fatigue can still leave residual risk.
5) What is the sector sensitivity multiplier?
It scales direct account value for industries where compromise is more expensive, such as finance, healthcare, privileged administration, or critical services.
6) How is the risk score interpreted?
Scores below 35 are Low, 35 to 54.99 are Moderate, 55 to 74.99 are High, and 75 or more are Critical.
7) Can I use this for executive reporting?
Yes. The outputs are compact enough for briefings and board updates, especially when paired with assumptions, recent incidents, and control improvement plans.
8) Is this a replacement for real telemetry?
No. It is a planning model. Actual logs, bot management data, fraud analytics, and incident records should refine every important assumption.