Keeping Safe Online: Password Security, MFA, and SSO Explained

Passwords remain the cornerstone of digital identity, but poor practices make them one of the easiest attack vectors for cybercriminals. Despite advances in authentication, weak or reused passwords still account for the majority of breaches.

The Australian Cyber Security Centre (ACSC) reports that of over 1,100 cyber security incidents in FY2023 - 2024, compromised credentials accounted for 23% of Category 3 (C3) incidents, involving large organisations, governments and critical infrastructure¹. Surfshark’s analysis shows 47 million Australian accounts were breached in 2024 - one every second². These numbers underscore why password security is critical.

For small and medium-sized businesses, the stakes are just as high - if not higher - than for large enterprises. Cybercriminals increasingly target SMBs because they often lack dedicated security teams and robust controls, making them easier prey. A single compromised password can lead to ransomware attacks, data breaches, and regulatory penalties that cripple operations and erode customer trust. Implementing strong password policies, enforcing MFA, and investing in continuous monitoring isn’t just an IT best practice - it’s a business survival strategy. In today’s digital economy, security is not a luxury; it’s a fundamental requirement for growth, reputation, and resilience.

To build this foundation, it’s essential to understand the core concepts - from encryption and MFA to SSO - so you can apply them effectively and protect your organisation from evolving threats.

Common Core Concepts

Encrypted Passwords: Encryption converts passwords into unreadable strings using cryptographic algorithms. Even if stolen, they cannot be used without the decryption key.

2FA (Two-Factor Authentication): Requires two independent factors - something you know (password) and something you have (token or phone).

MFA (Multi-Factor Authentication): Extends 2FA by adding biometrics or location-based checks.

SSO (Single Sign-On): Allows access to multiple systems with one set of credentials. Convenient, but a single point of failure if not combined with MFA.

What Happens When Security Fails?

Hackers exploit weak password hygiene through several sophisticated techniques:

Credential Stuffing: Using stolen username-password pairs from previous breaches to access other accounts.

Brute Force Attacks: Automated guessing of passwords; short or simple passwords fall in minutes.

Phishing: Fake emails or websites trick users into revealing credentials.

Man-in-the-Middle (MITM): Intercepting credentials during transmission when encryption isn’t enforced.

Keylogging and Infostealers: Malware records keystrokes or extracts saved passwords from browsers.

Password Spraying: Using common passwords like “Password123” across multiple accounts.

SSO Exploitation: If SSO credentials are compromised and MFA isn’t enabled, attackers gain access to multiple systems instantly.

Case Study: Medibank Breach - A Lesson in MFA Neglect

In October 2022, Medibank, Australia’s largest health insurer, suffered a catastrophic breach impacting 9.7 million customers³. Court documents reveal that the attack stemmed from the absence of multi-factor authentication on its GlobalProtect VPN. An IT contractor saved credentials to a personal browser profile, which synced to a home computer. Malware stole these credentials, granting attackers access to Medibank’s Microsoft Exchange server and VPN⁴.

Impact: 520 GB of sensitive data - including health records - was exfiltrated and later leaked on the dark web.

Root Cause: No MFA, weak password controls, and ignored security alerts.

Ramifications: Regulatory investigations, potential fines up to $50 million, and severe reputational damage.

This case illustrates how a single lapse - failure to enforce MFA - can cascade into a national crisis.

Best Practices for Password and Identity Security:

For All Users

1. Create Strong, Unique Passwords

Use passphrases of at least 12 to 16 characters with complexity.
Avoid reuse across accounts - credential stuffing thrives on reuse.

2. Enable Multi-Factor Authentication (MFA) Everywhere

Use app-based authenticators or hardware tokens over SMS.

3. Use a Password Manager

Enterprise-grade solutions with MFA protection for the vault.

4. Stay Vigilant Against Phishing

Verify MFA prompts and report suspicious login attempts immediately.

For Technical Teams

5. Continuous Monitoring

Implement real-time alerts for suspicious login attempts, MFA bypass attempts, and abnormal access patterns.
Use SIEM tools to aggregate logs and detect anomalies.
Monitor for credential exposure using dark web scanning and breach detection services.

6. Regular Auditing

Conduct quarterly audits of password policies, MFA enforcement, and SSO configurations.
Review privileged accounts and remove stale or unused credentials.
Validate that password hashing algorithms and salting are correctly implemented.

7. Access Reviews and Role-Based Controls

Enforce least-privilege principles.
Perform access recertification for sensitive systems every 90 days.

8. Continuous Education

Run phishing simulation campaigns and measure click-through rates.
Provide role-specific training for developers, admins, and end-users.
Share post-incident lessons learned across teams to prevent recurrence.

9. Policy Enforcement and Automation

Automate password complexity checks and rotation for privileged accounts.
Use conditional access policies to block risky IPs or enforce MFA for high-risk scenarios.

10. Incident Response Readiness

Maintain a credential compromise playbook: disable accounts, force resets, investigate lateral movement.
Test response plans through tabletop exercises and update based on findings.

Cybersecurity isn’t optional - it’s a shared responsibility. Implementing these measures significantly reduces your risk of becoming the next statistic.