Securing Passwords for a Safer Online Experience

Authored by: Peerapong Jongvibool, Senior Director, Fortinet Southeast Asia

As technology evolves, new ways of verifying users’ identities have emerged, including Multi-Factor Authentication (MFA), biometrics, and Single Sign-On (SSO) algorithms. Despite this, passwords continue to be integral to verifying identities.

Stolen passwords allow cybercriminals to takeover accounts or conduct unauthorised transactions. Malicious actors have also been known to earn a quick buck by selling pilfered credentials on the dark web. This is particularly concerning in Malaysia where a recent study found that basic passwords like, “admin” and “password” were prevalent.

What drives credential theft?

Our recent SecOps survey shows that 88% feel that remote work has led to an increase in insider threat incidents. Insufficient training, lack of employee care, and inadequate communication contribute to this surge, emphasising the need to address human factors in cybersecurity.

One common tactic that threat actors use to steal users’ passwords is by conducting phishing campaigns. While this is not a new tactic by any means, these types of social engineering attacks have only grown more sophisticated and damaging as employees continue to work remotely and remain isolated from their teams.

The second method threat actors use is information stealers, which is a type of malicious software that embeds itself into the target device by either offering seemingly legitimate downloads or exploiting device vulnerabilities.

Best practices for stronger password security

To prevent credential theft, organisations need to adopt stronger password habits. For instance, instead of using common words or phrases, a mnemonic device, such as the second letter of a certain phrase, can help users create passwords that are easy to remember yet difficult to crack.

While creating different passwords is crucial to reinforcing cybersecurity, it can be hard for users to remember them all. Installing password managers can free users from the burden of using sticky notes or guessing games by having them rely on one master password to create, store, and fill in unique credentials. This way, users can still protect themselves without the added burden of handling passwords.

Build stronger walls

Regardless of job titles or roles, all employees should understand the repercussions of a security event and how it could affect the organisation and themselves personally.

People are the first line of defense and using strong passwords is one way that individuals can use to defend against malicious actors. On the backend, organisations need to enforce other cyber security measures. For example, MFA policies require two or more authentication measures before employees can access workloads, thereby reducing the rates of security breaches.

Beyond identity verification methods, other technology tools should be adopted in complement.

• Installing Endpoint Detection and Response (EDR) systems: Modern EDR systems are essential for monitoring employees’ devices for malware-like information stealers. With this solution at security teams’ disposal, they can lower the risk of password theft.
• Automating cybersecurity processes: Connecting cybersecurity solutions to Security Orchestration, Automation, and Response (SOAR) platforms allows them to leverage customised playbooks so they can respond to data leaks and credential compromises automatically.

Build a robust cybersecurity culture: Through the National Cyber Security Awareness Master Plan, the government aims to develop programs and initiatives that foster cybersecurity awareness among Malaysian citizens. Organisations can contribute to these efforts by educating employees about common cybersecurity risks as well as their role in combating them.

Good password habits should not be treated as an option but as a necessity. Without it, organisations and users run the risk of inviting attackers to steal confidential data and disable essential operations.

With the right solutions at their disposal, organisations can give users the power to generate and maintain their own complex passwords without having to memorise them all, thus allowing them to focus on being productive.