As more cases of personal data becoming available on hacker forums surface, experts say not only should Canadians form better password-changing habits, companies should also offer different types of protections so Canadians are less complacent.
In early April, media outlets reported that half a billion users' data that was compromised in Facebook's 2019 data breach was recently made available in a hacker forum (three million were Canadian). That same week, 500 million LinkedIn users' and 1.3 million Clubhouse users' passwords were sold on hacker forums. Yahoo Finance Canada reached out to LinkedIn and Clubhouse to learn how many Canadians were affected but did not get a response in time for publication.
Ann Cavoukian, former information and privacy commissioner of Ontario, said in an interview that part of people's complacency in changing their passwords is because they are "so stretched to the limit" with other things that changing their passwords is the last thing they think about. She added that applications which hold multiple passwords will never work in the long term because of how time-consuming they are.
"We need models that don't require individuals to keep changing things. It just hasn't worked historically and I think it's unlikely going to work in terms of going into the future," she said, adding that the way people are authenticating accounts needs to change.
According to Cavoukian, more organizations should adopt biometrics like Apple's Face ID, which she says minimizes having to manage multiple passwords.
"I have an Apple device, and I love it, I don't have to do anything," she said. "I think you need some very simple solutions like that and companies are going to have to come up with this."
According to a March 2020 poll from Canada's Communications Security Establishment, in general, only 19 per cent of Canadians change their passwords a few times a year. Nine per cent never change their passwords, and only 19 per cent change them when they're prompted to, the poll results also show. Furthermore, only 3 per cent change their passwords when they learn about a security breach in the news.
Sumit Bhatia, director of communications and knowledge mobilization with Ryerson University's Cybersecure Catalyst, says that while biometrics may be a good alternative, it can be pricey for companies to adopt. In an interview, he said the alternative ought to be multi-factor authentication, which has proven to be successful.
Bhatia notes that while biometrics has been successful as a form of password protection, there are still privacy concerns that may arise.
"If a hacker gets into your biometric data, that can be used to access your accounts as well," he said. "There always has to be a multi-factor process to passwords which is the current form that seems to work the best way."
Bhatia says the complacency arising from not changing passwords also stems from a lack of education, adding that people need to be taught from a young age how to better manage their passwords.
"You need to be teaching this in schools, we need to be teaching this in universities, the policies around tech use cannot be limited to a workplace," he said.
Ramona Pringle, a tech expert and associate professor at Ryerson University, agrees with Bhatia and says people need to have better habits and treat changing passwords like going to the dentist for annual checkups.
"Password managing is just part of adulting. It is like dental hygiene and doing laundry. You don't really want to go to the dentist, you don't really feel like doing your laundry, but there's nothing better than getting into clean sheets, and it's really nice when your teeth are healthy and clean," she said.
And just like a dentist's office, Pringle says it might even be a good idea for companies to start sending reminders to people so they become more active in changing their passwords regularly.
She explains that part of the complacency also comes from still not fully understanding the severity of not changing passwords, and unless there are tactile examples, people won't be better when it comes to changing their passwords.
"Passwords as a concept, it's like cloud computing. It's not tangible," she said. "When we talk about digital privacy, I don't think it necessarily evokes immediately those sensitive situations that when people hear about them they're that much more visceral."
Pringle says because people have so many passwords to manage, it feels like an overwhelming task.
"You're not just going to update one thing, it's probably dozens of websites, and so it feels like a full day of work," she said, adding that most people take action only if they feel they are part of a breach, which shouldn't be the case.