📣 CRA hacks happened because people reuse passwords-here's how to stop

Photo of a Canadian flag in the wind against a clear sky.
Photo by Hermes Rivera / Unsplash

On 17th February 2021, Canada Revenue Agency's (CRA) online services came back into focus. The CBC reported that more than 100,000 people were locked out of their CRA accounts (Sources: 1). This lockout was initiated by the CRA; they believed that those accounts were in danger because the login credentials used were compromised from other services (Glossary: data breach).

This is after cyber attacks in fall 2020 where thousands of CRA accounts were logged into and abused by folks who had no business going in there (Sources: 2).

"These attacks, which used passwords and usernames collected from previous hacks of accounts worldwide (Glossary: credential stuffing), took advantage of the fact that many people reuse passwords and usernames across multiple accounts." - Office of the Chief Information Officer of the Government Canada (Sources: 3)

So the credentials used to access CRA accounts were not stolen from the CRA, but stolen elsewhere and successfully used to access CRA services.

Why not reuse passwords?

Reusing the same username-password combination in different internet services is like installing a lock and key on your home door, then using the same one in different places.

Maybe you do it because you're worried you won't have the right key when you need it. So you put identical locks on your rented office space, your mail box, your bank safety deposit box, your parent's rented storage space...all intended to be unlocked using the same key.

But we wouldn't use the same key in more than one place. Because when our car keys get misplaced, its finder could use the same keys to get into our home, and everything else.

How do people know where to find your home? Imagine your car keys had your home address on it; or that it wasn't too difficult to connect the car keys to your name, and then find out where you live.

When passwords are lost, often they're lost together with an email. Your email is essentially the same address you use to access many internet services.

Risk magnified by sub-standard passwords

It's one thing to have a good password stolen and used against you. For example, wUtEkaeh!T323*^@im5e9qj3vq7xiD is a good password. It's long, complex, and random. All of this make it a good password.

But the top 3 most common passwords are "123456", "123456789", and "qwerty" (Sources: 4). It's trivial for a threat actor to try commonly used passwords to access different services. Your password doesn't even have to be lost to begin with.

Many of us are not only using the same lock and key everywhere, it's a low quality lock and key-one we bought at the dollar store.

How do we make better passwords, then stop using the same lock and key everywhere?

We use a password manager (Glossary: password manager).

The best passwords are long and unique. But a long, unique password for every service we need to login would become difficult to maintain-without help. This is where password managers shine. Password managers automatically create long and unique passwords, then remember them for us.

But isn't that riskier?

Standalone password managers are a recommended tool to protect our online credentials (Sources: 5).

The password managers built into your browser do not meet the requirements for security and convenience.

What about the password for the password manager?

This password can be made very long and easy to remember. Length makes it difficult to guess, even with powerful computers doing the guessing.

👉 Get started with a password manager

Use our Basic quick start to Bitwarden, the password manager we use protect our business services from misuse.

Dog with heart-shaped nose in a screen, AKA the Majorcord logo.


Helpful words


  1. https://www.cbc.ca/news/technology/cra-accounts-locked-1.5916607
  2. https://www.cbc.ca/news/politics/canada-revenue-agency-cra-cyberattack-1.5688163
  3. https://www.canada.ca/en/treasury-board-secretariat/news/2020/08/statement-from-the-office-of-the-chief-information-officer-of-the-government-canada-on-recent-credential-stuffing-attacks.html
  4. https://www.ncsc.gov.uk/static-assets/documents/PwnedPasswordsTop100k.txt
  5. https://cyber.gc.ca/en/guidance/password-managers-security-itsap30025