Many of us are putting our personal information and identities at risk with our unsafe online behaviour. This was evidenced by the security breach announced by the Canadian Revenue Agency last week.
The CRA announced that thousands of accounts were breached, causing the temporary shutdown of many of the agency’s online services. Fraudsters changed the email addresses associated with those accounts and attempted to reroute direct deposit payments to their own accounts.
The most common tool scammers use to access accounts is called ‘credential stuffing.’ This means they acquire usernames and passwords through phishing schemes or previous leaks and hacks, and create automated attacks reusing these logins across online platforms.
It only works – they only gain access to your account – if you make one critical online security mistake: using the same password for multiple services.
The Treasury Board’s Office of the Chief Information Officer revealed that this was how the breach at the CRA occurred. “These attacks, which used passwords and usernames collected from previous hacks of accounts worldwide, took advantage of the fact that many people reuse passwords and usernames across multiple accounts.”
A 2018 study of over 28 million user accounts and their passwords found that more than half of users (52 per cent) had the same passwords (or related and east to hack passwords) for multiple online services. Passwords can be difficult to remember, and we all have so many of them now. It can be tempting to use the same or very similar ones for all of our accounts.
However, it is important to have different passwords for each of your online accounts. Hacks and leaks are happening with increasing frequency. You don’t want to make it easy for crooks to access all of your online information and services at once.
Even if you use a particularly strong password for sensitive accounts like the CRA or online banking, you can still be at risk if you use less secure passwords for your more casual accounts. This is because the password recovery settings for one account usually include verification from another. For example, if hackers have access to your principle email account, it can frequently be used to reset the credentials to other services.
Use separate, hard to guess passwords for each of your online accounts. The most secure passwords use a combination of uppercase and lowercase letters as well as numbers and special characters. ($peci@lCh@ract3rs.)
Be sure to stay away from the most common passwords that are still all too frequently used.
Protect yourself online. Change your passwords regularly and don’t reuse them between services. Here is a formula you can use to generate memorable, distinct passwords – and motivate yourself at the same time.