Passwords provide the first line of defence against any unauthorised access to your devices and online accounts. They act as a form of authentication and restrict cybercriminals from having direct access to your accounts by preventing any possible misuse.
Nonetheless, there are some common bad password practices such as re-using passwords or using easily guessable passwords that might reduce the time needed for cybercriminals to guess or crack your passwords and gain unauthorised access to your device, application, or account.
Many people re-use the same password for multiple accounts out of convenience. Unfortunately, this convenience comes at a cost, as the compromise of a single account could potentially compromise other accounts using the same login credentials. There are also those who choose to use easy-to-remember passwords - which tend to be easy to guess, such as '123456', 'qwerty' - or those containing personal information such as your name, NRIC, birthdate, or any other information that can be readily obtained.
Common Password Attacks
These are some of the common methods used by cybercriminals to steal passwords:
Cybercriminals may send phishing emails containing urgent or threatening messages impersonating trustworthy entities such as banks or logistics service providers to lure you into divulging your credentials. Links embedded in these phishing emails may direct you to fake websites containing 'reset password' or 'account login' screens. Upon entering your password into the fake website, you have unknowingly handed your login credentials over to them.
Cybercriminals can obtain stolen credentials from past data breaches of organisations to gain access to your accounts. If you have used the same login credentials across all your accounts, cybercriminals may be able to access those accounts as well.
Dictionary and Brute Force Attacks
Cybercriminals may also conduct dictionary or brute-force attacks to guess your password by checking against ‘password dictionaries’ or lists of commonly-used passwords and character combinations. The shorter and less complex your password is, the quicker it is for them to come up with the correct combination.
Safeguard Your Passwords and Accounts
To keep track of your passwords for your different accounts and protect them from possible password attacks, it is important to maintain good password hygiene management. You may wish to adopt the following best practices to protect your passwords and accounts.
Use Strong Passwords/Passphrases
Strong passwords are complex, unique, difficult to guess and hard to crack. Use strong passwords containing at least 12 characters comprising upper-case and lower-case letters, numbers and/or special characters. To make it easier for you to remember, you can use passphrases by putting together a sentence or combination of words based on a memory unique to you. As passphrases are longer than traditional passwords, they are more secure as it often requires significantly more time for cybercriminals to crack them than short passwords. You can find out the strength of your password here. To create a strong password/passphrase, you may also refer to our advisory here.
Use Different Passwords for Different Accounts
In addition to creating strong passwords, it is also important to use different passwords for each of your accounts. In this way, any credential or data leak from a single platform will not compromise your other accounts.
Use Reputable Password Managers
Consider using a reputable password manager to store and manage your many passwords. This can help you to manage your passwords for different online accounts. Using a password manager will only require you to remember the master password that unlocks the password manager, eliminating the need to remember multiple passwords for multiple accounts. To choose a suitable password manager, users are advised to select one with features that best suit their needs, consider product reviews on reputable and trustworthy websites, and only download them through official sources such as the official Play Store (Android) and App Store (iOS).
Use Multi-Factor Authentication (MFA)
Enable MFA or Two-Factor Authentication (2FA) for your online accounts, whenever possible, to provide an additional layer of security for your online accounts. It will require two or more verification factors before access is granted to your application or online accounts.
There are three main types of authentication methods that MFA is based on:
- Things you know (knowledge) such as password or pin;
- Things you have (possession) such as one-time passwords (OTPs) from physical OTP tokens or smartphones;
- Things you are (inherence) such as biometrics involving fingerprints or voice/facial recognition
In the event of a security breach and a cybercriminal were to obtain your password, your account will still be protected if she/he is unable to get hold of the other factors of verification.
If you believe that one of your account passwords has been compromised, do the following:
- Change your password immediately and enable 2FA, if available, to secure your account.
- Contact the platform service provider directly for assistance if you no longer have access to your account.
- Remember to reset all passwords immediately, if you have used the same compromised password for other accounts, to prevent any further unauthorised access.
Do not make it easy for cybercriminals. Maintaining proper password hygiene will protect your passwords and prevent you from being an easy target for cybercriminals to gain access to your devices and online accounts.