Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Information from the Australian Cyber Security Centre about protecting credentials

OAIC and ACSC logos

pdfPrintable version141.94 KB

The second quarterly report about data breach notifications received under the Notifiable Data Breaches scheme shows that the main causes of data breaches are malicious or criminal attacks (59 per cent). The majority of malicious or criminal breaches reported were the result of compromised credentials.

The risks of this type of data breach can be greatly reduced if entities implement strong password protection strategies, including raising staff awareness about the importance of protecting their credentials.

The OAIC has worked with the Australian Cyber Security Centre (ACSC), the Australian Government’s lead agency on national cyber security, on the causes of cyber security related breaches. The ACSC has provided the following mitigation strategies aimed at protecting credentials.

Prevention strategies: Individuals

Use of stolen credentials accounts for at least 77 per cent of all cyber incidents in this quarter.

According to the ACSC, there are four ways in which credentials (user names and passwords) are typically stolen:

  1. A user is tricked into entering their credentials into a page that mimics the legitimate site.
  2. A brute force (automated trial-and-error) attack on username and password combinations could be performed against a service, if the service does not prevent such activity.
  3. A service is compromised, and credentials are stolen from that system. These credentials could be used for that system, or the username and password combination will be tested against other high value sites like social media and email.
  4. A user’s system may be compromised by malware that is designed to steal credentials.

Therefore, the ACSC advises that mitigations for users can include:

  1. Users who are affected by credential compromises should reset their passwords as soon as possible.
  2. Do not use the same password across critical services (like banking and social media sites), and do not share a password for a critical service with a non-critical service. This mitigates the impact if credentials are stolen for one service, and particularly of a less secure service impacting a critical service.
  3. Use a passphrase that is not based on simple dictionary words, or a combination of personal information. This mitigates the success of password guessing and simple brute forcing.
  4. When changing a password, ensure that it does not follow a recognisable pattern. This mitigates intelligent brute forcing based on prior stolen credentials.
  5. Use multi-factor authentication, such as an authentication code sent to your mobile, for critical services where offered. This mitigates the simple use of stolen credentials.
  6. Look out for unusual account activity or suspicious logins. This may help improve detection of when a service, like email, has been compromised, and will need a password reset.
  7. Think carefully before entering credentials when asked. Ask if this is normal. Do not enter credentials into a form loaded from a link sent to you in email, chat or other means open to receiving communications from an unknown party. Even if the page looks like the service you are resetting, think twice. Use the method you would normally use to access that site, and reset the password from there. Be aware that your friends’ or other contacts’ accounts could be compromised and controlled by a third party to also send a link.
  8. If you are aware some of your credentials have been compromised, try to identify a specific cause. Did you enter your credentials in an untrusted place? Did you recently reset your credentials? What were the credentials for? Have you used those credentials elsewhere?
  9. Users should ensure their operating system, browser, and plugins are kept up-to-date with patches and fixes.
  10. Users should enable anti-virus protections on their systems in order to help minimise the effects of malware that steals credentials.

Individuals can access further resources here:

Where entities suspect they have been impacted by malicious cyber activity, the ACSC is able to provide support (whether your organisation is from the private or public sector).

Relevant ACSC resources:

Prevention strategies: For entities (organisations and agencies)

According to the ACSC, there are four ways in which credentials are typically stolen:

  1. A user is tricked into entering their credentials into a page that mimics the legitimate site.
  2. A brute force (automated trial-and-error) attack on username and password combinations could be performed against a service, if the service does not prevent such activity.
  3. A service is compromised, and credentials are stolen from that system. These credentials could be used for that system, or the username and password combination will be tested against other high value sites like social media and email.
  4. A user’s system may be compromised by malware that is designed to steal credentials.

The ACSC advises that some mitigations for entities can include the following approaches:

  1. To mitigate the ongoing risk of credential compromises, entities should force all users to periodically reset their passwords.
  2. To mitigate the risk of brute force attacks being successful, entities should consider increasing the password length and complexity requirements for their users.
  3. Entities should also implement a lockout for multiple failed login attempts.

Where entities suspect they have been impacted by malicious cyber activity, the ACSC is able to provide support (whether your organisation is from the private or public sector).

ACSC links to resources: