Nearly every Canadian has heard about the August 2020 CRA data breach. If you haven't, you need to know about it. The repercussions of this stolen data will be felt for years. We are just starting to understand what has been stolen and how that will affect the thousands of Canadians whose accounts were hacked. How did this happen? How can you protect yourself?
The Canada Revenue Agency (the CRA) experienced 2 cybersecurity attacks in which thousands of user accounts were breached. This led to the CRA temporarily shutting down its online services in an attempt to protect Canadian taxpayer information. Unfortunately, the shutdown occurred after the attacks. This means any breached account could have had their tax info, SIN number, and other private data stolen without ever knowing it. It also means that while the CRA’s services are shut down, Canadians cannot apply for emergency COVID-19 support. As you can imagine, this is a BIG problem that compromises a lot of people’s livelihoods and privacy.
In the aftermath of the announcement of the cyberattacks, compromised users’ have been asking why the CRA did not do a better job of protecting their accounts/information, and the CRA has been telling people to just change their passwords. Instead of talking about what went wrong, we want to talk about how people can protect all of their accounts across the internet going forward. With the average person having over 100 accounts online (this number will only continue to grow with time), we need to start helping people understand what they can do to minimize the risk to their accounts.
What went wrong?
The type of cyberattack that the CRA has suggested resulted in the breaches is known as “credential stuffing.” “Credential stuffing” is when a hacker collects usernames and passwords from other website hacks around the world, assumes people are reusing their usernames and passwords for multiple websites, and simply attempts to use them on different websites to see if they work. They usually do. The average person reuses the same usernames and passwords across multiple accounts. In fact, about 80% of hacks are due to people reusing passwords across multiple accounts or using weak passwords.
Cybersecurity experts recommend that you use a different password for every account you have.
Think of your passwords as keys. You have different keys for your house, for your car, etc. We keep our keys safe. Why do we treat passwords so differently? Imagine using a single key for everything you owned. If you lost it, your entire life would be compromised. Passwords should be treated in the exact same way. That way, if one of your passwords is exposed, the rest of your accounts aren’t exposed. At least with a key, a person has to physically come and take your things. With a password, they can access all of your accounts from anywhere in the world, and most times you wouldn’t even know it. We are used to protecting our keys. Let’s start taking responsibility for our passwords and cybersecurity.
So, how can I keep my accounts safe?
Follow password etiquette. Yes, websites need to improve their security measures to protect their users but we cannot completely rely on them because every website has its own set of security measures. As an individual, there are things you can do to protect yourself. One of those things would be to practice proper password etiquette.
What is password etiquette?
No one can ever be completely secure BUT following proper password etiquette can help increase the security of your accounts and reduce the vulnerability of your passwords. Think of it the same way you would of traffic rules (ie. drive the speed limit, wear a seatbelt). When implemented correctly, they can increase your safety and reduce your risk. Proper password etiquette can be narrowed down to a few simple rules:
- Create a unique password for every account you have.
- Your passwords should be at least 12 characters long and use a mix of case-sensitive letters, numbers, and symbols. For example: X##l~3&8xM$
- Do not use personally identifiable information, names, or places as your password. These may be easy to remember but can easily be found online or guessed.
- Avoid using the same passwords that only change a single character. This ends up weakening your account security across multiple sites.
- Keep your passwords to yourself. DO NOT share them with others. If you absolutely must share them, don’t share them over email, text, or any communication through the internet.
If the average person has over 100 accounts, how am I supposed to keep track of every single account if I follow these password guidelines?
This is where the ultimate problem lies. How can anyone possibly keep track of 100 different usernames and passwords? If you can remember them, good on you. Another option would be to write them down but this becomes increasingly difficult to manage and keep track of. It’s also not secure. Anyone can read your passwords if they are written down.
Use a password manager.
A password manager is a software application designed to store and manage all of your usernames/passwords. Those passwords are stored in an encrypted database. You can access your database whenever you need a password. As our lives increasingly move online, more people are using password managers.
In addition to storing your usernames and passwords, password managers will also organize your passwords, come with built-in search tools to help you easily find the ones you need and most of them also have built-in password generators that will help you create unique, strong passwords whenever you need to. This means you don’t have to waste time and energy trying to come up with them on your own.
So, how are you keeping your accounts safe? Are you reusing the same password for multiple accounts? Are all of your passwords at least 12 characters long and a mix of letters, symbols, and numbers?