Language selection


News release

‘Don’t reuse passwords,’ Privacy Commissioner warns

Recent trend in breaches raises alarm; serves as reminder that individuals who use the same password for multiple accounts are at increased risk

GATINEAU, Quebec, July 18, 2017 – The Office of the Privacy Commissioner of Canada (OPC) is urging individuals to stop reusing passwords, and businesses to require employees reset their passwords, in order to curb a recent trend involving similar breaches.

In recent months, the OPC has received several breach reports from companies that suspect their systems were accessed by individuals using valid customer or employee login data. It’s believed the criminals had obtained the data from previous, unrelated breaches that resulted in username and password combinations being published online.

“There’s a simple way for individuals to prevent these types of password reuse breaches: Don’t reuse passwords,” Commissioner Daniel Therrien says.

“Businesses also have a role to play. They should require employees to change their work passwords if they’ve ever used the same one elsewhere. Companies should also remember that an employee’s password should not be their only line of defense against online intruders.”

Other precautions, such as multifactor authentication for those accessing company servers remotely and monitoring for unusual employee login behaviour are also important, he says.

Besides not using the same password for different websites, accounts and devices, individuals and employees are also reminded to consider several best practices when selecting passwords:

  • Avoid obvious choices such as mother’s maiden name, child’s name, pet’s name or any reference someone may be able to guess through information you have posted elsewhere;
  • Make them eight or more characters;
  • Use a combination of letters, numbers and symbols;
  • If you need to write them down to remember them, keep them offline in a secret, secure, locked place.

The OPC has also prepared a new tip sheet for businesses to help them mitigate the risk of password reuse.

The Office has also had discussions with the Retail Council of Canada, which is also working to increase awareness of the issue.

“We know that businesses have systems in place to monitor unusual online activity to protect the privacy of their customers, and these recent incidents are an important reminder of the risks that exist and the need for constant vigilance. It also highlights the need for Canadians to take appropriate steps to protect themselves from fraud and to protect their personal information,” says Caroline Hubberstey, Senior Vice President, communications and member relations at the Retail Council of Canada.   

The companies that have recently reported breaches involving password reuse attacks to the OPC have notified affected customers. All are working cooperatively with the OPC as they determine the details of what occurred and how best to mitigate the situation.

About the Privacy Commissioner of Canada

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act, Canada’s federal private sector privacy law.

- 30 -

For more information:

Report a problem or mistake on this page
Error 1: No selection was made. You must choose at least 1 answer.
Please select all that apply (required):


Date modified: