Tag Archives: Multifactor Authenticator

Editorial

Interview: Password Hygiene & Staying Secure with Trend Micro

Leave a comment

This is a transcribed interview with Sage Khor, Presale Technical Manager at Trend Micro. It is intended as a companion to our editorial “How Your Bad Password Hygiene is Putting Everything At Risk At Home and At Work“.

Password Hygiene has become an increasingly popular topic among cybersecurity experts and IT managers especially in light of the marked increase of data breaches occurring on a daily basis. We spoke to Sage Khor, the Presales Technical Manager at Trend Micro to better understand password hygiene and its impact on personal and organisational data security.

Trend Micro Sage Profile Pic 07052024

SAGE KHOR

PRESALES TECHNICAL MANAGER,
TREND MICRO MALAYSIA

With more than 15 years in IT as a solution consultant and architect, Sage Khor has diverse experience in IT Infrastructure, Cloud & virtualization, and information and data security. He specialises in cloud and virtualization security and has in-depth knowledge of cyber security. He also has experience dealing with diverse customer environments ranging from various industries such as FSI, oil and gas, telco, conglomerates, real estate& more.

Q: “Password hygiene” seems to be a new concept when it comes to keeping safe on the internet. What is it and how does it help in staying secure online?

Sage Khor: Password hygiene refers to best practices and habits individuals and organizations should adopt to maintain strong and secure passwords. Maintaining good password hygiene is essential to online safety. It encompasses aspects such as password creation, account variation, refraining from sharing passwords, and implementing multi-factor authentication (MFA).

Q: We’ve had guidelines and best practices that ask us to change our passwords every so often. It’s easy to enforce this at an organizational level, but how about when it comes to our personal passwords?

Sage Khor: There are several ways how individuals can practice good password hygiene:

  • Create long passwords. It is recommended to create a password that is longer than 6 alphabets.
  • Create strong passwords by using a mix of uppercase and lowercase letters, numbers, and symbols, and avoid personal information (birthdays, addresses), and simple patterns.
  • Create unique passwords for each account.
  • Enable Multi-Factor Authentication (MFA) as it adds an extra layer of security by requiring a second verification step beyond an individual’s password.
  • Do not recycle passwords for multiple accounts.

Safeguarding data from cyber threats can also be done with the help of a security platform like Trend Micro’s ID Protection which helps secure personal information from identity theft, fraud, and unauthorized access.

Q: What is good “password hygiene”?

Sage Khor: The first line of protection against hackers is a strong and secure password as hackers will find it more difficult to decipher longer, more complicated passwords.

Weak passwords can be easily predicted. Avoid using the same or simple passwords like birthdays or dictionary words for multiple social media accounts or other internet accounts.

Password Login page AI Generated Image with Copilot
Image Generated with Microsoft Copilot

Enable two-factor authentication (2FA) on all internet accounts. Adding an extra layer of security to authentication makes it far safer than using just one factor.

Verify the privacy and security settings on internet accounts. Though they enable a degree of security for both users and the companies, the default settings that platforms set up are designed to enable the collection of pertinent market data from their users.

Another method of ensuring password hygiene is by utilizing a password manager to help you create, save, manage and use passwords across different online services. When you have to keep track of so many online accounts, a password manager is the best way to encrypt and store your passwords safely. However, it is also important to be vigilant when deciding on a password manager. The most reliable password managers will use industry-standard encryption methods and can keep your accounts safe from hacking. But good cyber hygiene practices will still come to play if you want to ensure your computer is free from malware and safe from hackers. One other aspect to consider is also taking steps to be aware of common social engineering tactics that can deceive users into divulging their master passwords.

Q: Is there a way for us to have password hygiene on an individual basis?

Sage Khor: Practising good password hygiene is vital to ensure that all accounts remain safe. Thus, it is important to be aware of the necessary steps you can take to create a strong and safe password. By introducing a higher level of complexity to your password, you can lower the chances of being hacked or having your accounts compromised.

When creating a strong password, refrain from using predictable letters or numbers in sequence (e.g qwerty, abcde, 12345) but instead combine letters, numbers, and symbols to form a password of at least eight characters. Similarly, you should always avoid creating passwords that include any easily found personal information. Most importantly, stop reusing passwords on all your accounts or have similar passwords across different accounts. Creating complex and varied passwords is ultimately one of the more important steps when it comes to password hygiene.

Q: How about when it comes to organizations?

Sage Khor: Password hygiene is crucial for organizations to protect themselves from data breaches and unauthorized access. Similar to how you should apply the best password hygiene practices in your personal accounts, it is important for organizations to also ensure the right structure and policies are in place.

Pile of Folders
Photo by Pixabay

Put in place complex passwords. While this may seem like a given, it may come as a surprise that many today still enforce popular passwords that are hackable. In the same way, you would create complex passwords for individual accounts, you will want to ensure the strength of passwords in your organization through the creation of long passphrases (at least 12 characters) instead of short passwords. Passphrases are easier to remember and more secure than single words. With proper IT policies in place, there should also be enforcement and systems that disallow the reuse of passwords.

Organizations should be using Multi-Factor Authentication (MFA) as it adds an extra layer of security by requiring a second factor, like a code from a phone app, to access accounts in addition to the password. Enforce two-factor or MFA for online banking/transactions and log-ins into key online portals/systems.

Practice the 3-2-1 backup rule. If a data breach occurs, it is critical to maintain at least three copies of company data in two different formats, with one air-gapped copy located off-site. 

Lastly, awareness training programmes should be established to help educate employees on password hygiene best practices and prevent cases.

Q: We’ve talked about password hygiene quite extensively. How does this factor into basic cybersecurity? Can we make things simpler to implement and keep up with?

Sage Khor: Password hygiene is a key component of every cybersecurity strategy that serves as a fundamental defence against unauthorized access, data breaches, and identity theft. Begin adopting a zero-trust mindset and framework by continuously verifying identities. Through this, organizations can enhance their cybersecurity posture by focusing on continuous verification of access and authentication, thereby reducing the risk of data breaches.

To make password hygiene easier to implement and maintain, organizations and individuals can adopt password management tools that streamline the process of creating, storing, and updating passwords. Additionally, providing education and training on password best practices can help raise awareness and encourage users to prioritize strong password hygiene.

Q: In the worst-case scenario, if an individual’s password is compromised, what can he/she do? How do we prevent data from being compromised?

Sage Khor: There are various steps that can and should be taken to address this. The most immediate step you should take is to change the password that has been compromised. You can create secure passwords using a password manager that allows users to generate unique and strong passwords for each account. Additionally, set up an MFA which requires additional verification methods beyond just passwords. Began monitoring all account activities for suspicious behaviour or any breach of access.

Close-up Photo of Guy Fawkes Mask
Photo by NEOSiAM 2024+

Q: What about organizations?

Sage Khor: Going back to how password hygiene is crucial for organizations, it is important to note that unauthorized access to sensitive data can result in financial losses, reputational damage, and legal consequences. To prevent this, organizations should take the necessary steps to implement MFA and conduct regular software updates to protect organizations from known vulnerabilities that attackers might exploit. Organizations should be proactive in using the available tools such as password managers paired with the right training for employees to protect their data.

Implementing a zero trust security model will also be an essential step for the prevention of future cybersecurity breaches. By viewing every access request as a possible danger, this strategy will help enhance an organization’s cybersecurity posture and proactively meet regulatory and compliance requirements.

Q: How do multi-factor authentication (MFA) methods affect password hygiene? Can we rely more on MFA methods instead of changing passwords? How secure is MFA?

Sage Khor: Multi-factor authentication (MFA) methods enhance password hygiene by adding an extra layer of security, reducing the risk of cyber-attacks and unauthorized access. MFA requires users to provide multiple authentication factors, making it more challenging for cybercriminals to compromise accounts solely through passwords.

While MFA is not completely foolproof, it is considered one of the more reliable measures as it can be combined or implemented with single sign-on (SSO) and passwordless login options to reduce the efforts of users, while also increasing the efficiency and management of users and businesses.

Q: Google, Apple and Microsoft are talking about a future that relies less on passwords and more on things like biometrics or “passkeys”. What is Trend Micro’s take on this?

Sage Khor: Trend Micro emphasizes the importance of strong passwords, MFAs, and restricting access to only corporate networks. These recommendations align with the concept of biometrics and passkeys, which can provide stronger security measures compared to traditional passwords.

ed hardie RMIsZlv8qv4 unsplash
Photo by Ed Hardie on Unsplash

Unlike passwords, passkeys are not susceptible to phishing attacks or theft because the private key never leaves your device.

Passkey offers enhanced security by providing digital keys that are highly resistant to phishing and brutal force attacks, effortless logins through secure storage on a device for easy access with a tap or PIN, and seamless cross-device functionality for a hassle-free user experience.

Q: Will having alternatives like biometrics and “passkeys” make it harder to get compromised online? Does it bring a better level of cyber resilience to organizations?

Sage Khor: Having alternatives like biometrics and “passkeys” can indeed make it harder to get compromised online, enhancing cyber resilience for organizations. Biometrics, such as fingerprint scans and facial recognition, offer more secure authentication methods that are difficult to replicate, reducing the risk of unauthorized access. “Passkeys” meanwhile eliminate the need for traditional passwords, simplifying the login process and enhancing security by using alternative means of authentication.

Through this organizations can significantly improve their cybersecurity posture, making it more challenging for cybercriminals to compromise accounts and systems. Biometrics and “passkeys” provide a higher level of security and resilience, helping organizations protect sensitive data and mitigate the risks associated with traditional password-based authentication methods.

    Business, Editorial

    How Your Bad Password Hygiene Can Put Everything At Risk at Home and at Work

    Leave a comment

    Another day, another email from IT telling you to change or update your passwords. We’ve all been there, opening emails and sighing at that reminder. However, did you stop to think what could be at risk when you don’t update your passwords across the board? What could the harm with just one password not being updated?

    Password screen AI generated image

    Understanding Passwords, Password Hygiene and Multifactor Authentication

    Well, like Julie Andrews once sang – Let’s start at the very beginning, a very good place to start. What exactly are passwords in our current, digital, always connected society? If your data and accounts were your home, your password would be your master key. The one thing giving you access to everything. Of course, we technically don’t need to talk about it in this anecdotal way cause, everyone knows what passwords are. But, humour me as we break down the issue.

    Knowing that your password is a master key, how would you make sure that things are always secure? You would keep it physically near you. Maybe clean it or make sure the key’s groves are still properly functioning. Similarly, password hygiene is simply the basics of creating a secure master key. There are certain characteristics that make it secure and hard to duplicate.

    Brass Ornate Vintage Key on Black Computer Keyboard
    Photo by Pixabay

    Firstly, it must be unique. The same applies to passwords – your passwords should be unique. Something that only you can figure out. Secondly, it has to be complex, the grooves of the key must be hard to reproduce. When it comes to passwords, this is done in two ways: with the length of the password and the use of special characters. Experts recommend that passwords should be longer than 6 characters and contain a mix of upper-case characters, lower case characters, numbers and special characters. In addition, it should ideally not be birthdates, social security numbers or simple patterns.

    Now that you’ve got a secure key for your main door. Maybe we should add another layer of security considering everything you own is within this home. Let’s include a way to confirm that it’s really you opening the door. Maybe, we’ll use a voice authenticator. The addition of this second layer of security is exactly what multifactor authentication is. Essentially, it is there to ensure that it is you that is accessing your home. This has become a mainstay now with services like Google, Amazon and even Facebook requiring you to activate MFA. These are arguably, the very basics of keeping your data and digital self-safe.

    Bad Passwords Puts Everyone at Risk

    Now that we’ve covered the basics, let’s scale this up. Now think of a neighbourhood of homes. This is – perhaps – your family home. Each of your homes are interconnected with a powerline, a water source and more. However, each of these accesses are protected by the same protections that protect your mansion. More importantly, your homes are located within a gated community. This gated community is your home network. Ideally, there should be two access points to this community, one which gives you access to everything in the gated community and one that limited access. These access points are your WiFi passwords. In most cases, we tend to have two: one for your home devices and your guest password. Since we’ve established what a good password is, it should come as no surprise that the same rules of password hygiene apply even to these.

    Crop hacker typing on laptop with information on screen
    Photo by Sora Shimazaki

    However, let’s think for a second about what happens if one of our access point has a weak password. It is very common for us to setup good home network passwords, but keep our guest passwords simple – cause who needs the hassle of trying to communicate complex passwords. Well, that would be, in this anecdote’s case, like putting a security guard who is blind at the guardhouse that provides guests access to the neighbourhood. While it is still secure, it’s not secure enough. Similarly, when we use weak passwords or repeated passwords, we’re doing the same to our data. Imagine what could happen now to all the homes in the neighbourhood because of that ONE vulnerability. You can have malicious actors enter the neighbourhood and snoop around.

    Trend Micro Sage Profile Pic 07052024 1 1

    “… password hygiene is crucial for organizations, it is important to note that unauthorized access to sensitive data can result in financial losses, reputational damage, and legal consequences. To prevent this, organizations should take the necessary steps to implement MFA and conduct regular software updates to protect organizations from known vulnerabilities that attackers might exploit. Organizations should be proactive in using the available tools such as password managers paired with the right training for employees to protect their data..”

    Sage Khor, Presales Technical Manager, Trend Micro

    In the case of passwords, one weak password could put everyone at risk. Remember earlier, how we said that each home is connected with an electric line, water line and more? Well, similarly, each device on your network – be it at home or at work – is connected in some way. Having a weak password is like having a thin wooden door with a flimsy lock. These malicious actors would be able to just bring down the door and access everything in your house and potentially make their way to other homes.

    Keeping Things Secure Beyond Your Password

    Hopefully, the anecdote helps clarify how passwords are essentially the first step to creating a secure environment both at work and at home. However, sometimes, passwords are not enough. While they provide some security, we have had to build on the foundations that were provided by passwords. This is especially true in recent years with malicious actors using more sophisticated attacks that require us to be more vigilant.

    ed hardie RMIsZlv8qv4 unsplash
    Photo by Ed Hardie on Unsplash

    One of the most common way that has emerged to help secure our data is multifactor authentication (MFA). A good example of this is Google’s implementation where we need to click a prompt on our smartphones to prove your identity when accessing your Google account. This extra level of security makes it even harder for malicious actors to access your data. Another common MFA method is the use of authenticators which generate a random number that is used to unlock your accounts in addition to your password.

    In addition to this, we have to – unfortunately – be more vigilant with our online interactions. Like the popular phrase in Game of Thrones, the internet “is dark and full of terrors”. Password hygiene is only one step we can take to protect ourselves on the internet. Having proper cyber security solutions such as the solution that Trend Micro offers will offer even better protection. For organizations, this may include the adoption of Zero Trust security models that will provide even better protection against compromise.