U.K. bans generic passwords over cybersecurity concerns. Should Canada be next?
The U.K. is cracking down on easy passwords. Experts say Canada do the same.
The United Kingdom has introduced a new law that bans generic passwords on smart devices in order to protect consumers from cyber attacks.
Experts say Canada should adopt similar measures, as the pressing issue of cybersecurity continues to grow.
The new law officially came into effect on Monday with the purpose of protecting consumers from increasingly sophisticated hackers and cyber criminals. The law requires manufacturers to adopt minimum security standards to prevent hackers from accessing devices with internet connectivity such as smartphones, game consoles and connected fridges, a press release from the U.K. government says.
Under the new law, manufacturers are banned from allowing “weak, easily guessable default passwords like ‘admin’ or ‘12345,’” the release says.
It adds that besides boosting the U.K.’s resilience against cyber threats, the new measures will also help consumers’ confidence in buying and using smart products, which will in turn help grow the country’s economy.
“Today marks a new era where consumers can have greater confidence that their smart devices, such as phones and broadband routers, are shielded from cyber threats, and the integrity of personal privacy, data and finances better protected,” U.K.’s data and digital infrastructure minister Julia Lopez says in the release.
Video: Is your personal information at risk after staggering data leak?
The U.K. is the first country in the world to introduce a law that requires manufacturers to protect consumers from being exploited by hackers and cyber attacks.
Cyber security experts say Canada should take similar measures. Dan Kagan, senior vice president of identity management company Okta, says passwords are “outdated” and leave Canadians vulnerable to cyber threats.
“(Humans) are the weak links because we’re creatures of habit. So what we’ve done is we’ve made it easy to remember passwords… because we can’t forget kids names and favourite sports teams. The problem is, in doing that, we become very predictable,” Kagan told Global News.
“We leave ourselves susceptible to engagements from threat actors, from cyber criminals, and so on,” he said.
Kagan says cyber criminals’ rapidly growing sophistication means generic passwords no longer offer the protection they once did from being hacked.
Though everyday consumers are most targeted, Canada and Western democracies around the world have also seen significant jumps in attacks or threats against critical infrastructure over recent years.
“It’s getting to the point where that infiltration is hitting at a government layer. If the password to get to government services is extremely easy, you’re leaving not only yourself but the rest of the country vulnerable to get into a system that can only be breached with a password,” Kagan said.
Kagan says while the U.K.’s ban on generic passwords is a good measure, the most effective action against cyber threats would be for governments to replace passwords with other technology.
The best solution for logging into portals without passwords would be with biometrics, he says, which includes face, fingerprint and voice identification. Apple is an example of a brand already using this method with its smart devices.
“It’s very hard to replicate your face or a fingerprint,” Kagan said.
However, Kagan says he admits it would be tough to convince consumers to drastically change their password habits, so the U.K.’s new law is a solid starting point.
Video: How Russian cyber criminals are targeting Canadians, oil and gas sector
This past year has seen dozens of high-profile cyberattacks and ransomware targeting major businesses, healthcare networks, law enforcement and governments around the world.
More on Canada
A Canadian Centre for Cyber Security report from August last year said that over the next two years, “financially-motivated cybercriminals will almost certainly continue to target high-value organizations in critical infrastructure sectors in Canada and around the world.”
Canada Security and Privacy Research Chair Natalia Stakhanova says part of a rise in criminal cyber activity is driven by tools to commit illicit acts becoming cheaper and easier to use and by insufficient cyber defences.
“It’s getting easier and easier to break into systems,” Stakhanova told Global News. “All of us should really be thinking about security these days.”
Stakhanova echoed Kagan’s sentiments, saying passwords inherently carry a lot of weaknesses because of our human tendencies. Now, with the growing intelligence of cyber criminals, she says internet connected devices have become “an entry point into our houses.”
That’s why she says the U.K.’s new law is a “smart” move, adding that Canada has historically been “quite behind” when it comes to security guidance and regulations.
“Having governmental oversight is certainly a smart move. It gives a little bit more assurance to us as consumers that now the device manufacturers are going to be actually responsible for the security they build in the devices,” Stakhanova said.
“Implementing something similar to this type of guidance would certainly be beneficial for consumers in Canada,” she said.
Video: Essential cybersecurity tips to safeguard your digital footprint
For Canadians looking to improve their password strength, Stakhanova says a good place to start is choosing something that isn’t easy to guess. Make sure to also not repeat passwords for multiple portals.
Stakhanova says another good trick is avoiding words that are in the dictionary. You can combine words, but don’t use a single one. She says all it takes for an attacker to successfully hack into someone’s accounts is to pull up an existing profile and compare their passwords from five to 10 years ago.
“When you’re talking about common passwords, you should really be thinking about that list that creates billions of entries of the passwords we used in the past,” she said.
Stakhanova acknowledges it will be challenging to convince many to avoid using generic passwords, but she said the benefits of doing so “should be quite clear.”
“I understand the convenience, but we need to understand that in this sort of landscape of ever-increasing cyber-attacks — we’ve seen something coming out pretty much daily — we need to be more vigilant,” she said.