This is a transcribed interview with Sage Khor, Presale Technical Manager at Trend Micro. It is intended as a companion to our editorial “How Your Bad Password Hygiene is Putting Everything At Risk At Home and At Work“.
Password Hygiene has become an increasingly popular topic among cybersecurity experts and IT managers especially in light of the marked increase of data breaches occurring on a daily basis. We spoke to Sage Khor, the Presales Technical Manager at Trend Micro to better understand password hygiene and its impact on personal and organisational data security.
SAGE KHOR
PRESALES TECHNICAL MANAGER,
TREND MICRO MALAYSIA
With more than 15 years in IT as a solution consultant and architect, Sage Khor has diverse experience in IT Infrastructure, Cloud & virtualization, and information and data security. He specialises in cloud and virtualization security and has in-depth knowledge of cyber security. He also has experience dealing with diverse customer environments ranging from various industries such as FSI, oil and gas, telco, conglomerates, real estate& more.
Q: “Password hygiene” seems to be a new concept when it comes to keeping safe on the internet. What is it and how does it help in staying secure online?
Sage Khor: Password hygiene refers to best practices and habits individuals and organizations should adopt to maintain strong and secure passwords. Maintaining good password hygiene is essential to online safety. It encompasses aspects such as password creation, account variation, refraining from sharing passwords, and implementing multi-factor authentication (MFA).
Q: We’ve had guidelines and best practices that ask us to change our passwords every so often. It’s easy to enforce this at an organizational level, but how about when it comes to our personal passwords?
Sage Khor: There are several ways how individuals can practice good password hygiene:
- Create long passwords. It is recommended to create a password that is longer than 6 alphabets.
- Create strong passwords by using a mix of uppercase and lowercase letters, numbers, and symbols, and avoid personal information (birthdays, addresses), and simple patterns.
- Create unique passwords for each account.
- Enable Multi-Factor Authentication (MFA) as it adds an extra layer of security by requiring a second verification step beyond an individual’s password.
- Do not recycle passwords for multiple accounts.
Safeguarding data from cyber threats can also be done with the help of a security platform like Trend Micro’s ID Protection which helps secure personal information from identity theft, fraud, and unauthorized access.
Q: What is good “password hygiene”?
Sage Khor: The first line of protection against hackers is a strong and secure password as hackers will find it more difficult to decipher longer, more complicated passwords.
Weak passwords can be easily predicted. Avoid using the same or simple passwords like birthdays or dictionary words for multiple social media accounts or other internet accounts.
Enable two-factor authentication (2FA) on all internet accounts. Adding an extra layer of security to authentication makes it far safer than using just one factor.
Verify the privacy and security settings on internet accounts. Though they enable a degree of security for both users and the companies, the default settings that platforms set up are designed to enable the collection of pertinent market data from their users.
Another method of ensuring password hygiene is by utilizing a password manager to help you create, save, manage and use passwords across different online services. When you have to keep track of so many online accounts, a password manager is the best way to encrypt and store your passwords safely. However, it is also important to be vigilant when deciding on a password manager. The most reliable password managers will use industry-standard encryption methods and can keep your accounts safe from hacking. But good cyber hygiene practices will still come to play if you want to ensure your computer is free from malware and safe from hackers. One other aspect to consider is also taking steps to be aware of common social engineering tactics that can deceive users into divulging their master passwords.
Q: Is there a way for us to have password hygiene on an individual basis?
Sage Khor: Practising good password hygiene is vital to ensure that all accounts remain safe. Thus, it is important to be aware of the necessary steps you can take to create a strong and safe password. By introducing a higher level of complexity to your password, you can lower the chances of being hacked or having your accounts compromised.
When creating a strong password, refrain from using predictable letters or numbers in sequence (e.g qwerty, abcde, 12345) but instead combine letters, numbers, and symbols to form a password of at least eight characters. Similarly, you should always avoid creating passwords that include any easily found personal information. Most importantly, stop reusing passwords on all your accounts or have similar passwords across different accounts. Creating complex and varied passwords is ultimately one of the more important steps when it comes to password hygiene.
Q: How about when it comes to organizations?
Sage Khor: Password hygiene is crucial for organizations to protect themselves from data breaches and unauthorized access. Similar to how you should apply the best password hygiene practices in your personal accounts, it is important for organizations to also ensure the right structure and policies are in place.
Put in place complex passwords. While this may seem like a given, it may come as a surprise that many today still enforce popular passwords that are hackable. In the same way, you would create complex passwords for individual accounts, you will want to ensure the strength of passwords in your organization through the creation of long passphrases (at least 12 characters) instead of short passwords. Passphrases are easier to remember and more secure than single words. With proper IT policies in place, there should also be enforcement and systems that disallow the reuse of passwords.
Organizations should be using Multi-Factor Authentication (MFA) as it adds an extra layer of security by requiring a second factor, like a code from a phone app, to access accounts in addition to the password. Enforce two-factor or MFA for online banking/transactions and log-ins into key online portals/systems.
Practice the 3-2-1 backup rule. If a data breach occurs, it is critical to maintain at least three copies of company data in two different formats, with one air-gapped copy located off-site.
Lastly, awareness training programmes should be established to help educate employees on password hygiene best practices and prevent cases.
Q: We’ve talked about password hygiene quite extensively. How does this factor into basic cybersecurity? Can we make things simpler to implement and keep up with?
Sage Khor: Password hygiene is a key component of every cybersecurity strategy that serves as a fundamental defence against unauthorized access, data breaches, and identity theft. Begin adopting a zero-trust mindset and framework by continuously verifying identities. Through this, organizations can enhance their cybersecurity posture by focusing on continuous verification of access and authentication, thereby reducing the risk of data breaches.
To make password hygiene easier to implement and maintain, organizations and individuals can adopt password management tools that streamline the process of creating, storing, and updating passwords. Additionally, providing education and training on password best practices can help raise awareness and encourage users to prioritize strong password hygiene.
Q: In the worst-case scenario, if an individual’s password is compromised, what can he/she do? How do we prevent data from being compromised?
Sage Khor: There are various steps that can and should be taken to address this. The most immediate step you should take is to change the password that has been compromised. You can create secure passwords using a password manager that allows users to generate unique and strong passwords for each account. Additionally, set up an MFA which requires additional verification methods beyond just passwords. Began monitoring all account activities for suspicious behaviour or any breach of access.
Q: What about organizations?
Sage Khor: Going back to how password hygiene is crucial for organizations, it is important to note that unauthorized access to sensitive data can result in financial losses, reputational damage, and legal consequences. To prevent this, organizations should take the necessary steps to implement MFA and conduct regular software updates to protect organizations from known vulnerabilities that attackers might exploit. Organizations should be proactive in using the available tools such as password managers paired with the right training for employees to protect their data.
Implementing a zero trust security model will also be an essential step for the prevention of future cybersecurity breaches. By viewing every access request as a possible danger, this strategy will help enhance an organization’s cybersecurity posture and proactively meet regulatory and compliance requirements.
Q: How do multi-factor authentication (MFA) methods affect password hygiene? Can we rely more on MFA methods instead of changing passwords? How secure is MFA?
Sage Khor: Multi-factor authentication (MFA) methods enhance password hygiene by adding an extra layer of security, reducing the risk of cyber-attacks and unauthorized access. MFA requires users to provide multiple authentication factors, making it more challenging for cybercriminals to compromise accounts solely through passwords.
While MFA is not completely foolproof, it is considered one of the more reliable measures as it can be combined or implemented with single sign-on (SSO) and passwordless login options to reduce the efforts of users, while also increasing the efficiency and management of users and businesses.
Q: Google, Apple and Microsoft are talking about a future that relies less on passwords and more on things like biometrics or “passkeys”. What is Trend Micro’s take on this?
Sage Khor: Trend Micro emphasizes the importance of strong passwords, MFAs, and restricting access to only corporate networks. These recommendations align with the concept of biometrics and passkeys, which can provide stronger security measures compared to traditional passwords.
Unlike passwords, passkeys are not susceptible to phishing attacks or theft because the private key never leaves your device.
Passkey offers enhanced security by providing digital keys that are highly resistant to phishing and brutal force attacks, effortless logins through secure storage on a device for easy access with a tap or PIN, and seamless cross-device functionality for a hassle-free user experience.
Q: Will having alternatives like biometrics and “passkeys” make it harder to get compromised online? Does it bring a better level of cyber resilience to organizations?
Sage Khor: Having alternatives like biometrics and “passkeys” can indeed make it harder to get compromised online, enhancing cyber resilience for organizations. Biometrics, such as fingerprint scans and facial recognition, offer more secure authentication methods that are difficult to replicate, reducing the risk of unauthorized access. “Passkeys” meanwhile eliminate the need for traditional passwords, simplifying the login process and enhancing security by using alternative means of authentication.
Through this organizations can significantly improve their cybersecurity posture, making it more challenging for cybercriminals to compromise accounts and systems. Biometrics and “passkeys” provide a higher level of security and resilience, helping organizations protect sensitive data and mitigate the risks associated with traditional password-based authentication methods.
