When it comes to cyber hygiene, poor credential management remains one of the most common vulnerabilities exploited by attackers - and one of the easiest to fix.
Kordia’s Digital Forensics and Incident Response team have investigated hundreds of cyber incidents over the years, and compromised credentials are continually at the centre of a significant number of breaches.
Despite how often this topic makes headlines, we’re still seeing the same risky behaviours again and again. Things like:
• Weak or outdated password policies
• Saving login details in web browsers
• Syncing sensitive data across devices without thinking twice
• Skipping multi-factor authentication (MFA) altogether
It might seem insignificant, but the reality is these choices can crack open the door for attackers to compromise and move laterally across your network, causing serious harm to your systems and data.
Browsers are for browsing - not storing credentials
One of the most concerning practices we continue to see is the use of web browsers to store login credentials.
While browser-based password storage is often enabled by default and convenient for users, it presents a significant security risk. Browsers such as Chrome, Edge and Firefox are not designed to function as secure vaults. Many do not require any form of re-authentication to access saved passwords, which means that anyone with access to a device, either physically or remotely, can easily retrieve stored credentials.
Syncing features can also exacerbate the risk. When browser data is synchronised across multiple devices via services like Google or Apple iCloud, a breach on one device grant an attacker access to logins across multiple platforms, applications and systems.
Threat actors are aware of, and leap at the opportunity to exploit these common habits. In many cases, attackers are not relying on sophisticated tools or complicated tactics, they’re simply leveraging weak security practices that have become normalised over time to log their way into your most critical business systems.
Not just an IT issue
Credential security is no longer just a technical issue; it is a governance issue. Security and leadership teams must be aware of how access to key systems is managed and should demand regular reporting on policy compliance and credential hygiene.
Ultimately, improving credential security doesn’t necessarily require a massive budget or a cutting-edge solution. It requires leadership, consistency, and a commitment to phasing out habits that no longer serve a secure business environment.
Modern threats require modern credential policies
In light of these risks, organisations should take immediate steps to review and update their credential policies. Key actions include:
• Implementing secure password practices:
We recommend mandating the use of long, complex passphrases, ideally 16 characters or more. Passwords should be unique to each system and changed regularly. Employees should be discouraged from reusing personal passwords for work accounts.
• Using password managers properly:
While password managers can significantly improve security, they must be enterprise-grade, encrypted, and centrally managed. Storing credentials in a browser is not a substitute. Password managers should require multi-factor authentication and support secure sharing when necessary.
• Disabling browser-based storage and syncing:
Where possible, disable browser password saving features at the policy level. Encourage staff to use dedicated password management solutions that offer better protection and oversight.
• Enforcing multi-factor authentication (MFA):
MFA should be non-negotiable for access to email, remote desktop services, VPNs, and any cloud-based applications. App-based or hardware MFA methods are significantly more secure than SMS-based codes.
• Considering passwordless solutions:
Modern authentication tools such as certificate-based access, physical security keys (like YubiKeys), or push-notification-based logins offer stronger protection and better user experiences.
• Investing in staff awareness and training:
Even the best tools are only as effective as the people using them. Organisations must provide regular cybersecurity awareness training, with a focus on real-world attack scenarios such as phishing and social engineering.
