You’re not responsible for using dangerous passwords. But the business is…

Here’s an interesting development that may have evaded you…

The FTC has ruled that businesses must take responsibility for their customer’s poor password hygiene. That’s right. If you reuse a stolen password to secure your financial services account, it’s not your fault – it’s the fault of the business that let you use the insecure password in the first place. Because of ‘credential stuffing’ reusing passwords is the equivalent to not using a password at all. A reused password is 100% insecure.

The ruling was made against TaxSlayer LLC, who experienced an account takeover attack (in 2015) in which 9,000 accounts were compromised (taken over) and used to file fraudulent tax returns. They found that TaxSlayer wasn’t doing enough to ensure that customer’s accounts (and data) were secure.

I wonder who is next…

60-second primer on account takeover and credential stuffing:

Simon Gibbard