World Password Day: A reminder to secure your passwords better

This year, World Password Day falls on Star Wars Day, May 4. Despite predictions to the contrary, passwords continue to be a critical part of our lives.

"Traditional passwords were a quintessential step in developing the different methods we use to access our accounts today. World Password Day serves as a reminder to organisations that although passwords were reliable in the past, it is time to bolster security solutions with more secure and robust authentication methods, like biometric authentication, to ensure that the user accessing an account is the authorised user," explained Stuart Wells, Jumio's CTO.

"Ensuring our passwords are secure is a crucial element of protecting our digital identities and sensitive information that we may provide when shopping online, using social media or mobile banking apps (to name a few popular examples). The wide array of password-protected services available to us leads many to re-use the same password across many applications for the sake of convenience. However, in the event that a password for oice is breached, many doors could be opened to would-be attackers if users are in fact re-using passwords — a very common attack strategy," noted Amit Sharma, Security Engineer, Synopsys Software Integrity Group.

Wells also called Netflix’s "seemingly controversial" new password sharing policy — a decision that passwords cannot be shared — "a best practice that all organisations should follow". "Most organisations and consumers do not realise the risk that comes with sharing passwords. If a user shares their password and the person they shared their password with falls victim to a cyberattack, that password is now compromised and can lead to the cybercriminal potentially accessing their data or their company’s data. This inadvertently causes costly data breaches and damages consumer trust," he said.

"For consumers, sharing a password may seem like a harmless way to help friends or family save money, but the best practice when it comes to passwords is to never share them. Consumers fail to realise that although they trust these individuals with their passwords, cybercriminals may gain access to (the individuals') devices along with usernames and passwords that could lead to identity theft, financial fraud and phishing attacks. Today’s acknowledgement of World Password Day highlights to consumers and organisations alike the need to implement newer, more secure methods of authentication to safeguard their data.”

Thomas Richards, Principal Consultant, Synopsys Software Integrity Group, said that human nature tends to fall on the side of insecurity. "Humans often default to weaker and shorter passwords because they’re easier and more convenient to create. Without policies to require stronger passwords, we’re setting ourselves up to be exposed to a number of digital threats," he warned.

"Password compromises can often be blamed on inadequate software development practices or vulnerable software. Additionally, poor password hygiene can occur when technical controls aren’t effectively and responsibly implemented, such as a requirement for strong and effective passwords."

Shahnawaz Backer, Senior Solution Architect, Asia Pacific, China and Japan, F5, noted that there are many data breaches in Singapore and shared findings from F5’s Curve of Convenience report, which found that 73% of Singaporeans are willing to share their data in exchange for convenience during payments. In contrast, the number was 55% in 2020. 

"Not only that, due to the strong reliance on digital devices and the rush for time, 96% of consumers are willing to save sensitive data on websites to streamline processes," he said.

"Common passwords such as 'Qwerty123' or 'P@ssw0rd123' are still being used. The consequences of (Singaporeans) having their passwords stolen are much more severe than ever — from losing their life savings to even losing their identity," he warned.

"This World Password Day, I’m reminded of a string of articles over the last several months from retail to fast-food companies, where users of these sites found their accounts compromised as a result of credential stuffing attacks. Credential stuffing is a type of attack, where cybercriminals take user login credentials obtained from data breaches on other websites and services and use the same usernames and passwords on other websites and services. 

"More often than not, these attackers will be successful using the stolen data, because many users tend to reuse passwords across multiple websites," observed Satnam Narang, Senior Staff Research Engineer at Tenable.

Rebecca Law, Country Manager, Singapore, Check Point Software Technologies, said that passwords are stolen on a daily basis. "Every day, cybercriminals create new attacks aimed at stealing user passwords. Techniques such as phishing have managed to breach thousands of services by stealing credentials, especially here in Singapore, where on average, organisations are attacked 1,246 times per week in the last six months. 

"This risk can be easily remedied by establishing secure passwords, making it much more difficult for cybercriminals to guess these combinations, ensuring the highest level of security for our devices," she said.

AI-generated art featuring a man wearing a uniform and dark glasses in front of a wall of computer icons.
Cybersecurity concept art generated
by Dream by WOMBO.

Vincent Goh, and GM, APJ for CyberArk, also shared some dismaying statistics. "Over half of workers in Singapore today have a shocking amount of access to sensitive corporate data, according to CyberArk’s 2022 Identity Security Threat Landscape Report

"In addition, almost 80% of respondents admit that their organisations are vulnerable to carefully-crafted attacks such as phishing emails that specifically target employees with high levels of access," he said.

"With the vast amount of sensitive information at their fingertips, attackers are assigning a new level of focus on employees’ passwords, especially poorly-managed ones. In fact, with as many as 921 password attacks occurring per second globally, it is time for organisations to treat every employees’ credentials like the true operational risk they are."

Goh said World Password Day is a good time to rethink password security. "It is important for organisations to apply a least-privilege approach to ensure that employees can securely share credentials without revealing password characters. Recognise that all workforce users’ passwords should be protected with the same security-first approach that organisations apply to privileged users’ credentials," he said.

"As organisations bolster their password protection capabilities, they should also work towards a holistic identity security approach to ensure privilege controls are applied across the board for all identities."

Sharma said that understanding password security best practices — such as not re-using passwords, employing a password manager, and using multifactor authentication whenever possible ensures a more secure environment for protecting data. "New technologies are continuously emerging to improve security and scalability while also accounting for a seamless user experience," he added.

“The saying 'use a strong and unique password' across each website stems from incidents like the ones mentioned earlier. It’s not easy to manage several hundred passwords, which is why it is important for individuals to leverage tools like Apple’s built-in keychain for saving passwords, as well as using professional password management solutions. These tools can help users generate strong and unique passwords that they don’t have to remember, and they can use browser extensions to auto-fill their credentials into the right website," suggested Tenable's Narang. He also agreed with Sharma on using multifactor authentication.

“Despite this sage advice, it’s also important to remember that breaches and phishing attacks are still common, so it’s not just about creating strong and unique passwords. Leveraging features like two-factor or multifactor authentication (2FA and MFA respectively) can help users ensure their accounts remain secure even if their passwords are exposed somehow," Narang added.

“Some sites offer password-less sign-on, which leverages a second factor such as a phone, to help facilitate logging in without passwords. This isn’t as widespread of a feature across many websites, but it’s another solution to help address some of the challenges posed by passwords alone.”

Richards had further suggestions. "Strong passwords are the foundation of Internet security, and must be taken seriously. I recommend that passwords be as long as possible, and include a variety of symbols, numbers, and upper- and lower-case letters. It’s also a good idea to use three- or four-word sentences, which can greatly reduce the chance of a password being cracked. I also recommend always enabling multifactor authentication on any app or platform that offers it. Multifactor authentication, coupled with a strong password, can create a strong defence against attackers," he said.

Richards believes that passwords will continue to be part of our lives. "Usernames and passwords have always been at the core of digital authentication, and I don’t see that ending anytime soon. Multifactor authentication (MFA) also adds an additional layer of security to better protect systems and end-users from compromise, but strong passwords are still essential for security."

He also recommended using a password manager. "In today’s digital world, password managers can be an extremely effective tool to manage and secure sensitive login information. Password managers provide secure storage, feedback if a password is considered weak, and can generate complex passwords as needed. All of these aspects can help to reduce the risk of a compromise," he said.

"With the growing sophistication of cybercriminals and the increasing number of cyberattacks, password security and robust data protection have become fundamental for business resiliency and continuity. In fact, a weak password can be the shaky link in an otherwise sturdy security system, leaving innumerable data vulnerable to cyberattacks," noted Chua Chee Pin, Area VP, ASEAN, Hong Kong, Korea, Japan, and Taiwan at Commvault. Chua added that training employees is important, but that accidents can still happen internally.   

"Organisations should focus on trainings and awareness programmes for the workforce to educate them on the importance of password protection and inculcate the basic security hygiene - as employees have access to both digital assets and information owned by the company. While tackling external threats, one should not overlook the possibility of internal mishaps. And most importantly, implementing a robust data protection and backup solution for any worst-case scenarios. It’s always good to have a backup plan!" he said.  

Backer also championed education and password managers as part of the solution. "For organisations, training sessions can be offered to educate employees on the importance of password security and cyber hygiene. Applying a tailored and flexible suite of solutions will help businesses adapt to the ever-changing security landscape, thereby allowing them to stay competitive while providing the secure and frictionless experiences that users now demand," he said.

"Businesses and consumers should adopt a 'never trust, always verify' attitude and behaviour. For individuals, it is important to be cautious when parting with secure personal data such as identity card numbers, credit card information, and passwords. Using tools such as password managers can also reduce the risks of being attacked."

Like Goh of CyberArk, Chua also suggested a holistic approach. "This World Password Day, let’s approach data protection holistically - password security is a crucial aspect of a solid data protection strategy. It is essential to implement a robust password management system that works in tandem with other solutions to provide additional layers of protection to prevent data loss or corruption," he stated.

Law's advice for a good password include:

The longer and more varied, the better

"It should be at least 14 -16 characters long and consist of different letters, combining upper and lower case letters, symbols and numbers. However, it has been noted that by simply increasing the password to up to 18 characters combined, a completely unbreakable key can be constructed. This belief is based on the number of attempts brute-force practice requires where the total number of combinations is equal to the number of characters multiplied by their length," she explained.

Easy to remember, complex to guess

"It should be a combination that only the user knows, so it is advisable not to use personal details such as dates of anniversaries or birthdays, or the names of family members, as these can be easier to figure out. A simple way to create passwords that anyone can remember is to use complete sentences, either using common or absurd scenarios, with examples such as 'meryhadalittlelamb', or its even safer equivalent with different characters '#M3ryHad@L1ttleL4m8'," she said.

Unique and unrepeatable

"Create a new password each time a service is accessed and avoid using the same password for different platforms and applications. This ensures that in the event of a password being breached, the damage will be minimal and more easily and quickly repairable. According to a Google survey, at least 65% of respondents reuse their passwords across multiple accounts and web services, which increases the chances of multiple platforms or applications being breached," Law advised.

Always private

"A premise that may seem basic but is important to remember," Law noted. "A password should not be shared with anyone, and it is especially advisable not to write it down anywhere near the computer or even in a file on it. For this task, you can use tools such as password managers, which do the same job, but in a more secure way."

Real security is just ‘two steps’ away

In addition to having a strong and secure password, the use of two-factor authentication (2FA) is a major security enhancement, Law said, echoing Richards. "This way, every time an attacker or an unauthorised person wants to access someone else's account, the account owner will receive a notification on their mobile phone to grant or deny access."

Change it periodically

"Sometimes, even after following all these practices, incidents beyond our reach occur such as leaks of company databases. Therefore, it is advisable to periodically check whether an email has been the victim of a vulnerability to a third party, as well as to try to trace the accounts that may have been compromised. To do this, there are public access tools such as the Have I Been Pwned website, which try to gather basic information on these leaks in order to offer support and help to users. Similarly, even if they have not been breached, it is always recommended to update passwords every few months," she concluded.

Comments

Post a Comment

Popular posts from this blog

Fortinet enhances FortiRecon to align with CTEM framework

Fortinet, the global cybersecurity provider driving the convergence of networking and security, has turned the FortiRecon platform into a comprehensive solution aligned with the continuous threat exposure management (CTEM) framework. The latest release introduces expanded internal attack surface monitoring, adversary-centric dark web intelligence, and security orchestration, all in a unified platform. These enhancements help organisations proactively identify and prioritise real-world exposures, validate risks like an attacker would, and accelerate response. “CISOs and security teams are overwhelmed by growing attack surfaces and an endless stream of unprioritised alerts,” said Nirav Shah, Senior VP of Products and Solutions at Fortinet. “With the latest enhancements to FortiRecon , we’re giving organisations an attacker’s eye view of their internal and external exposures, backed by AI-powered threat intelligence from FortiGuard Labs, real-world validation, and automated response...
Read more

SentinelOne recognised as a 2025 Gartner Peer Insights Customers’ Choice for XDR

SentinelOne, a global provider of AI-powered security, has been named a Customers’ Choice in the 2025 Gartner Peer Insights ‘Voice of the Customer’ for Extended Detection and Response (XDR) report* – one of only two companies with this distinction. A hundred and forty-four users reviewed SentinelOne's Singularity Platform, and 97% said they would recommend the solution to respond to threats across endpoints with AI-powered security, while 97% rated the solution four stars or better.** “With the growing complexity of cyberthreats, organisations need more than siloed security—they need AI-powered, autonomous protection that delivers real-time detection and response across their entire attack surface. Customers have made it clear that SentinelOne’s XDR provides the intelligence, automation, and efficiency they need to stay ahead of threats and secure their environments with confidence,” said Ely Kahn, VP, Product Management, SentinelOne. Gartner defines extended detection and ...
Read more

AWS: AI adoption grows 20% in Singapore

Image
Amazon Web Services (AWS), an Amazon.com company, has found* that AI adoption continues to accelerate in Singapore. In the past year alone, 27,000 1 Singapore businesses adopted AI for the first time—equivalent to over three new adopters every hour. In sum, nearly 170,000 (48%) of businesses in Singapore have adopted AI 2 , up from approximately 143,000 (40%) a year ago. This represents a 20% year-over-year growth rate, AWS said. AI adoption is the strongest in the financial services industry (71%), followed by the technology sector ( software developers, data analytics firms, cloud service providers, and digital startups) at 70%, and healthcare at 63%. Among Singapore’s businesses that have adopted AI, 82% reported an increase in revenue, at an average increase of 19%, while 90% report significant productivity improvements. A large majority (85%) of those who have adopted AI say the technology is likely to increase their growth in the next year, and 89% expect an average of 17%...
Read more