The Privacy Commissioner Canada has recently released some tips for mitigating risk to businesses involving passwords. One main problem is that individuals use the same password for multiple accounts – this puts them at a much higher risk of experiencing a breach. It has become so problematic that the Privacy Commissioner of Canada is urging individuals to stop reusing passwords, and is also encouraging businesses to require employees to reset their passwords.
What are the risks? Businesses are mainly affected when they provide customer accounts with login credentials because the customers could be reusing a password from another site. Additionally, employees who have a password may have used that password from some other site. The problem is that if wrongdoers learn of these passwords in other contexts, they can then use that similar login information to access the employer’s entire network.
In fact, the Office of the Privacy Commissioner has received a number of breach reports from companies that believe their systems have been accessed by individuals using valid customer or employee login information.
The Commissioner suggests that the simple way to prevent these types of password reuse breaches is to not reuse passwords. Furthermore, the Commissioner suggests that businesses have a role to play – they are highly recommended to require employees to change their work passwords if they have ever used that same password anywhere else.
Clearly, it is important to not use the same password for different websites, accounts, and devices. However, this is not the only means of protection – there are other lines of defence. For instance, it is important to encourage employees to not make obvious choices regarding what the password will be (names of pets, names of children, etcetera), and to not make the passwords too simple (it is encouraged to use more than eight characters, with a combination of letters, numbers and symbols). In cases where the passwords are extremely complicated, they can be written down and stored in a secure location offline. It is also recommended to strongly question certain applications that enable users to store all your passwords for ease-of-use, and make careful decisions.
The Privacy Commissioner also recommends some important means of defence for employees who access work accounts remotely. Some include: allowing remote logins only from trusted IP addresses; using a Virtual Private Network (VPN); requiring additional security questions; and requiring Multi-Factor Authentication (especially for those with administrative privileges).
Unfortunately, given the technological climate, it is important for businesses to be vigilant when it comes to protecting themselves from breaches. This is where the important task of monitoring comes into play. Employers are recommended to monitor employee account logins for unusual patterns of access. For example, repeated logins in the middle of the night or logins from IP addresses from other countries could be a red flag.
One important step that employers are recommended to take include informing customers and employees about the risks and offering solutions. Practically speaking, it is very common for people to use the same password (some people will readily admit that have used the same password for every account for 20 years!) because it is simple and remembering multiple passwords is overwhelming. The goal must be a balancing security with ease-of-use for customers and employees, and employers are recommended to find ways to increase security while maintaining a positive employee/customer user experience.
For more information regarding this topic, please refer to the Privacy Commissioner’s self-assessment tool for organizations.