In this unit, we explore several major to strengthen our online accounts security, namely through using strong password, two-factor authentication, and a password manager. 

How are our online accounts protected? 

We all have a lot of online accounts that we sign up for. Fundamentally, most platforms use these two methods to protect our accounts. 

First Factor Authentication:

  • This is usually something that only you know, usually it is a password when you log in to this site or like a PIN we use to unlock our phones.

Second Factor Authentication (2FA):

  • The second factor is usually something only you have, the most classic one in Malaysia is the 6 digital code we receive from the bank every time we want to want a transaction. The rationale is that even when someone knows your password, only you have access to your phone (in an ideal situation). 
  • Common 2FA methods: Time Based One-Time Password (TOTP), Authenticator App, and Hardware key like Yubikey. 
  • Sometimes Biometric is also used as a second factor. 

How Are Passwords Commonly Compromised?

  • Unsecured Connections: Using an unsecured public Wi-Fi without encryption may expose your traffic and data to the network admin. (More in Unit 4: Safer Browsing)

  • Device Access: Physical access to a device, coupled with saved passwords in browsers, can lead to unauthorized access, especially without full-disk encryption.

  • Malware: Malicious software, like keyloggers, can document every keystroke and send it to a waiting third party, potentially exposing a wealth of personal or sensitive information.

  • Brute-Forcing: Brute-forcing is a method where an attacker systematically tries all possible password combinations until they find the correct one. This approach leverages tools like dictionaries or word lists alongside significant computing power to speed up the process. For example, an attacker may start with a simple guess like "1111," then increment to "1112," and so forth, cycling through each potential combination.

  • Common Tactics: Attackers use common passwords, customize word lists, and employ substitutions for numbers and symbols.

Data breach

One of the most common ways that our passwords can be compromised is data breach. Commonly due to a vulnerability in their platforms that allowed a third party to gain access to the server and steal private data. 

Data breach IRL!

  • Lazada Data Breach (2020): In October 2020, a major data breach affected Lazada, a leading e-commerce platform in Southeast Asia. The breach exposed personal information and passwords of over 1.1 million customers. The stolen data was found on a hacker forum. – RedMart fined S$72,000 for data breach resulting in online sale of customer data.
  • Saya Kena Hack (2017): In 2017, Lowyat Net discovered a database comprising personal data of 17 million Malaysians being sold online for an undisclosed amount of Bitcoin. The breached data came from Jobstreet, the Malaysian Medical Association, etc. Saya Kena Hack was a project to allow people to verify if their data was compromised.

Best practices for creating good passwords

 

Enhancing password strength is crucial for effective protection against potential threats.

Comic explaining how to use Passphrase over Password.

  • Length and Complexity: Opt for longer passwords with a mix of characters, including uppercase and lowercase letters, numbers, and special characters. While complexity is essential, equal emphasis should be placed on length.

  • Avoid Predictable choice: Steer clear of easily guessable words, and use unique passwords for each account to limit the impact of a breach.

  • Regular Changes: Change passwords regularly, especially for sensitive accounts, to thwart potential unauthorized access. If notified of a legitimate account compromise (not phishing), an immediate password change is required.

  • Passphrase over Password: Consider using passphrases, incorporating length and complexity as demonstrated in the XKCD comic above, to create stronger and more memorable passwords.
  • Never Reuse Passwords Across Multiple Sites: Reusing passwords is risky because, if one account is compromised, attackers can use the same password to access other accounts. A unique password for each account minimizes this risk.
  • Consider using a password manager: A password manager manages all your complex and long passwords across all your accounts. 

 

 

Last modified: Wednesday, 4 February 2026, 5:35 AM