Tips for mitigating password reuse risk

July 2017

Every organization subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) is required to ensure that personal information is protected by security safeguards appropriate to the sensitivity of the information.  Depending on your circumstances, you may well need more protections against unauthorized access than just your customers’ and employees’ passwords.

The Risk to your Business

For businesses, password reuse presents risks to you and your customers/users in two ways: 

  • If your business provides customer accounts with login credentials.  In this case, if your customers/users reuse a password that has been compromised from another site, attackers could gain access to individual customer accounts.
  • If your employees have reused their work account password elsewhere.  In this case attackers could gain access to your business’s entire network.

How to Mitigate this Risk

There are a range of security measures that businesses of any size can implement to mitigate the risk from employees or customers re-using their passwords.  Businesses may also want to consider signing-up to receive alerts, bulletins or newsletters on cyber threats, either general or specific to your industry.  Also consider sharing your own experiences with other businesses in your community or industry — forewarned is forearmed!

Here are some tips to help organizations assess and mitigate the risk of password reuse:

Mitigating Risks of Password Reuse by Employees:

An employee’s password should not be your business’s only line of defense against online intruders. 

  • Change Reused Passwords: Strongly encourage your employees to change their work passwords if they have ever used that password elsewhere.
  • Secure Access: If employees can access their work accounts remotely, there are ways you can control access to reduce your cyber-risk while still meeting your operational needs.  For instance, you could:
    • Allow remote logins only from trusted IP addresses
    • Use a Virtual Private Network (VPN)
    • Require additional security questions
    • Require Multi-Factor Authentication (strongly recommended for employees with administrative privileges)
  • Monitor: Monitoring employee account log-ins for unusual patterns is a key protection against employee password reuse risk.  Some of the dangers from cyber-attacks occur when unusual patterns of access — like repeated logins in the middle of the night, or logins from IP addresses in other countries — go unnoticed.

Questions to Ask:  Does your business have access logging turned on and retained for an adequate period to detect trends?  Is your business regularly reviewing these logs for unusual access patterns?   

Mitigating Risks of Password Reuse by Customers:

  • Alert them to the Risk: Remind your customers/users not to use the same password on your site and other sites.
  • Suggest Solutions: Consider suggesting alternative ways to manage password overload. Multiple passwords are hard to remember and manage, but to minimize the chance of forgetting, a list of passwords could be stored in a secure offline place.
  • Assess Impact: The stringency of authentication processes should be commensurate with the risks to the organization as well as to the individual. The higher the risks, the higher the assurances your organization will likely need to authorize access or transactions.  Assessing these risks will help you determine what additional protections are appropriate beyond customers’ passwords. 

Questions to Ask:  How much harm could happen to your business or to individuals if it fell into the hands of attackers?  Could it lead to identity theft, fraudulent purchases or reputational harm to individuals?

  • Layer authentication: When customers’ passwords are protecting sensitive and/or large amounts of personal information, consider adding a layer of authentication, like security questions or multi-factor authentication.  The added layer of authentication can be implemented either across the board, or more selectively, such as when a user logs-in from an unusual IP address, or displays other unusual behaviour.
  • Monitor: The authentication process should maintain reliable audit records of authentication transactions.  This can allow you to use monitoring applications to watch for signs of automated login attempts, such as attempts to login to large numbers of accounts from a single IP address.  It can also help you demonstrate compliance with applicable privacy laws.
  • Limit impact: There are also steps you can take to mitigate potential damage if an attacker does get into a customer’s account.  Put yourself in the shoes of an attacker.  What actions might they try to take if they got into one of your customers’ accounts? For instance, attackers may change contact information so that future communications from your business (that might alert the customer to the attack) go to the attacker instead of the customer.  Sending automated emails to customers’ previous address to confirm that their contact information or password has been changed, etc. can help customers identify unauthorized activity and let you know more quickly.

Guidance documents and relevant information sources

Date modified: