To print this article, all you need is to be registered or login on Mondaq.com.
If your customers use the same username and password for
multiple online accounts, they could be at greater risk if your
organization experiences a data breach. You can’t control what
passwords your customers use for all their accounts, but you can
mitigate the risk of “credential-stuffing”
According to a release from the Office of the Privacy
Commissioner of Canada (OPC), credential stuffing attacks
exploit peoples’ tendency to use the same log-in credentials
for various online accounts. If your customers continuously reuse
the same username and password online, just one data breach could
lead to many of their accounts being compromised. Research from Akami has found that hundreds of
millions of credential-stuffing attacks occur on a daily basis.
The OPC and other global data protection authorities recently
released guidelines for limiting the risk of
credential-stuffing attacks. Here are a few of the steps you
can take to protect your customers.
Have a Guest Checkout for Online Purchases
One way to prevent credential-stuffing attacks is to not require
your customers to create credentials in the first place. By
offering a guest checkout option on your website, customers can
purchase your products or services without creating a username and
password that could end up being compromised.
Have a Strong Password Policy
If your customers create online accounts with you, you should
never store their credentials in plain text format. Passwords
should be stored securely, ideally using hashing rather than
encryption. Hashing is more secure than encryption, which is easy
to crack if your decryption key isn’t secure.
You should have a strong password policy that requires customers
to use a minimum number of characters, including special
characters. You could consider a “deny list” that
prevents users from choosing easy-to-guess passwords. You may also
inform your customers of the risks of reusing existing passwords
and/or recommend that your customers use a password vault to secure
Consider Multi-Factor Authentication
Multi-factor authentication is an effective way of guarding
against credential stuffing. Requiring additional factors –
such as a temporary password sent to your customer’s cellphone
– to gain entry makes it much harder for malicious actors to
access your customers’ accounts.
Don’t Use Email Addresses for Usernames
Customers often use the same email address for multiple
usernames, making it easier for bad actors to access multiple
accounts. Providing users with automatically generated usernames or
requiring them to create a custom username can help prevent
Your Customers Could Be at Risk of Significant Harm
As discussed in a previous blog, most privacy breaches pose a real risk of
significant harm – and the risks could be even higher
when your customers use the same log-in credentials for multiple
accounts. With breaches becoming costlier than ever, now is
the time to ensure your privacy policies are up to snuff.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from Canada