CRA incidents highlight the need for better password hygiene

This month, we saw the CRA shut down its site after attackers gained access to the thousands of accounts and were able to redirect CERB payments. The incident highlights the importance for businesses, including the government, and people to protect digital data.


Identifying attacks against individual accounts requires new tools and analysis to try and stay ahead of attackers.


For people, the focus should be on password hygiene. Current reports indicate that the perpetrators used credential stuffing to gain access to accounts. Credential stuffing is a method where attackers take lists of previously exploited usernames and passwords from one site and use the credentials on a new target until they find matches.


From a human perspective, credential stuffing can be prevented by following simple password management rules.

  • Unique passwords

  • Each service requires a unique password.

  • Unique passwords should not follow a pattern, for example, P@sswordFacebook for your Facebook account and P@sswordGmail for your Gmail account is not enough of an improvement over P@ssword.

  • Never Reuse Passwords

  • Many security professionals agree that changing passwords every 90 days is no longer necessary. Today, if passwords are unique, complex, and protected by 2FA, changing the passwords once a year or only when a breach is possible is acceptable.

  • When changing passwords, start from scratch. Adding a '#' to the end of your current password, or changing a '!' to a '@' is not enough.

  • Password Length

  • At a minimum, password length should be at least eight characters per NIST, but we recommend at least 10. The size ensures that your passwords are genuinely unique.

  • Password Complexity

  • Using random passwords is ideal, but using one random password on multiple sites is not the solution. We recommend longer passwords with random words and phrases to help them be memorable, without being easily guessable. We then use a password manager to maintain a list of random passwords for other services.

  • Password Manager

  • The burden of remembering many passwords leads to some of the lousy password habits that we regularly see. A password manager can help ease the burden. Find a tool to manage unique passwords and simplify the process. As always, we recommend Dashlane for its fantastic interface and dedication to security.

  • Are you writing your passwords in a book? Password management on paper is likely protecting you from your primary enemy, the internet, but be sure that no one else has access to it. Lock it up at home and make sure only you know where it is.

  • In the business environment, we recommend Single Sign-On solutions to help simplify the login process.

Sticking to these simple rules is a crucial tool to help protect you and your business from attacks like those that affected CRA users.


If you have questions, reach out to MSJ for more details on how we help protect people, businesses, and data.


2 views

SERVICES

AWS

Networks

Maintenance

© 2020 by MSJ IT Services, Inc.