Even a long and complex string of repeating numerals and letters amounts to slack protection, if they follow predictable patterns…

According to Lookout the Top 20 Passwords leaked on the Dark Web are:


Obviously, using ‘convenient’ and quick-to-type passwords can lead to cyber disasters. Having shared the list of vulnerable passwords, the firm’s Senior Director for Asia Pacific and Japan, Don Tan, also has insights on password security to share with CybersecAsia readers.

CybersecAsia: What are some of the best ways to educate people about the importance of using strong passwords?

Don Tan (DT): Make people understand the value of the data that passwords are supposed to protect. Strong passwords can be the difference between an attacker gaining access to someone’s life savings, bank account information and more.

Consumers may think that the services where they upload and share this sensitive information will protect them, but in reality, the best line of defense is in the consumers’ own hands.

Even with strong passwords, people should also be educated to enable multifactor authentication wherever possible. This provides a second layer of defense. 

From continual education and awareness, everyone will realize the importance of group responsibility and vulnerability: every team member’s login credentials can be targeted, and from there, hackers can attack the rest more easily (through spear phishing and/or whaling).

CybersecAsia: What would be your advice in creating strong passwords without the worry of having to memorize so many?

DT: Aside from using well-established password managers, a simple practice is to replace letters with numbers or symbols that are easy to remember. For example, replacing the letter “e” with a “3”, or the letter “a” with a “@” symbol. More importantly, do not reuse strong passwords across multiple accounts.

CybersecAsia: How often should passwords be changed, especially when people commonly use multiple devices to access to the same online services?

DT: Change your passwords at least every few months, especially on platforms that hold particularly sensitive data linked to banking or healthcare information. On the other hand, it is important not to change passwords too frequently, as keeping track of the changes in login credentials may lead to slipups or frustration that tempt people to “cheat” with simpler passwords.

Upon being informed of a breach on any service, organizations and employees must be mobilized to change passwords immediately, and mutually inform others to comply.

CybersecAsia: How do we increase overall vigilance against the surges in data breaches and data privacy incidents?

DT: Today, cyberattacks often take place across multiple endpoints, so it is crucial for businesses in the region to secure their data no matter where it goes. This requires increased granularity to analyze and prevent threats on mobile endpoints as well as the ability to make informed decisions on granting access to users and devices.

  • To safeguard against more frequent data breaches, businesses in the region must untether themselves from a security posture that is tied to a physical location, especially as their users and data are now everywhere.
  • Furthermore, organizations must safeguard personally identifiable information by harnessing control over encryption keys, to ensure that sensitive data can never be accessed or controlled by external parties, ensuring employee privacy policies are upheld. Through detailed visibility into mobile devices across their entire infrastructure, organizations gain dynamic access controls, data protection, cyber threat detection and compliance management.
  • As the global pandemic has increased everyone’s reliance on mobile devices and cloud services to maintain some normality in their lifestyles, communications channels have gone far beyond just email. So, attackers are using the extra channels such as messaging apps, social media, gaming and even dating apps to create the perfect environment for social engineering. With Phishing-as-a-Service catching on, almost anyone can become a threat actor. So stay vigilant of all these evolving threats.

As the region continues with accelerated digital transformation, organizations must be wary that their sensitive data may be shared with unauthorized parties (supply chain attacks). Implementing the right data backup and security solutions will safeguard all sensitive data.

CybersecAsia thanks Don for his insights.