Password Reuse a Significant Risk Factor for Security Breaches

security breaches

Canada’s office of the Privacy Commissioner (OPC) is taking steps to try to prevent security breaches that involve the use of valid usernames and passwords. The OPC is urging individuals to stop reusing passwords, and advising businesses to require employees to reset passwords. This is an attempt to curb a recent trend involving security breaches of this type.

In recent months, the OPC has received several breach reports from companies that suspect their systems were accessed by individuals using valid customer or employee login data. It’s believed the criminals had obtained the data from previous, unrelated breaches that resulted in username and password combinations being published online.

“There’s a simple way for individuals to prevent these types of password reuse breaches: Don’t reuse passwords,” Commissioner Daniel Therrien says.

“Businesses also have a role to play. They should require employees to change their work passwords if they’ve ever used the same one elsewhere. Companies should also remember that an employee’s password should not be their only line of defense against online intruders.”

Other precautions, such as multifactor authentication for those accessing company servers remotely and monitoring for unusual employee login behaviour are also important, he says.

Besides not using the same password for different websites, accounts and devices, individuals and employees are also reminded to consider several best practices when selecting passwords:

  • Avoid obvious choices such as mother’s maiden name, child’s name, pet’s name or any reference someone may be able to guess through information you have posted elsewhere;
  • Make them eight or more characters;
  • Use a combination of letters, numbers and symbols;
  • If you need to write them down to remember them, keep them offline in a secret, secure, locked place.

The OPC has also prepared a new tip sheet for businesses to help them mitigate the risk of password reuse.

The Office has also had discussions with the Retail Council of Canada, which is also working to increase awareness of the issue.

“We know that businesses have systems in place to monitor unusual online activity to protect the privacy of their customers, and these recent incidents are an important reminder of the risks that exist and the need for constant vigilance. It also highlights the need for Canadians to take appropriate steps to protect themselves from fraud and to protect their personal information,” says Caroline Hubberstey, Senior Vice President, communications and member relations at the Retail Council of Canada.

The companies that have recently reported breaches involving password reuse attacks to the OPC have notified affected customers. All ar

e working cooperatively with the OPC as they determine the details of what occurred and how best to mitigate the situation.

Read more posts on security breaches and other security issues here

Carlos Casanova

Carlos Casanova

Carlos Casanova is an internationally known speaker, IT architect, leadership advisor, and co-author of The CMDB Imperative. He has over two decades of hands-on experience guiding CIOs and Sr. Leadership to achieve effective IT operations and improve ROI from infrastructure investments. His expansive experience enables him to quickly assess their true needs and achieve better business outcomes. He takes the complexity out of today's cluttered IT and business environments to simplify their goals in order to accelerate achievement and success.