UAE: 238,000 passwords leaked in 2024. How to stay protected

Dubai: Over 238,000 unique passwords were compromised in 2024 in the UAE due to increasingly sophisticated malware attacks, according to the State of the UAE Cybersecurity Report 2025, released by the UAE Cyber Security Council and CPX.

The report highlighted the rising prevalence of infostealer malware in the UAE. RedLine Stealer merged as the dominant force in these breaches, responsible for 69.9 per cent of the infections. It is followed by other malware types like META Stealer (13.1 per cent), Lumma (12.6 per cent), and Vidar (4.4 per cent). Alarmingly, a significant percentage of the compromised passwords at 77.04 per cent met the US National Institute of Standards and Technology (NIST) guidelines for password length, which recommend at least 12 characters. The NIST is a US federal agency known for its cybersecurity framework and NIST Special Publication 800 series, which provide guidelines and recommendations for securing information systems.

“The fact that these passwords were still compromised by infostealer malware highlights a critical issue — even long passwords can be vulnerable if they are exposed through malware attacks. This suggests that simply following length guidelines is not sufficient for password security,” the report said.

According to the report, a breakdown of the leaked passwords by length showed a concerning pattern.

1 to 8 characters: 54,655 passwords compromised

9 to 12 characters: 107,478

Greater than 12 characters: 75,976

Multi-factor authentication

Industry experts told Gulf News that while password length is important, it’s not sufficient on its own to protect users from increasingly sophisticated attacks.

Morey Haber, Chief Security Advisor at BeyondTrust, pointed out that long and complex passwords are still vulnerable because they represent a single point of failure.

“If the passwords are compromised through malware, keystroke logging, a personal password manager, etc, then length and complexity alone offer no protection.”

Haber pointed out that the importance of additional security layers like multi-factor authentication (MFA) as a secondary verification method.

“It is therefore recommended to always use a long and complex password to prevent brute-force and dictionary attacks, along with multi-factor authentication. If the password is compromised, MFA provides a secondary method of confidence to ensure that the associated account is not compromised.”

Robust strategies

Alexander Ivanyuk, Technology Director at the Acronis Threat Research Unit, stated that users need to adopt more robust password strategies.

“The best practice is to use passphrases of more than 20 characters. These are easier to remember but harder to crack

Ivanyuk recommended using passwords longer than 14 characters for maximum security, significantly increasing resistance to brute-force attacks.

“Incorporate a mix of characters. If creating manually, use a mix to increase entropy, but prioritise length over forced complexity.”

Ivanyuk suggested taking advantage of password manager apps or tool.

“Password managers generate and store truly random, unique passwords, example: 16 to 32 characters with mixed types, for each account, reducing the risk of reuse. While not a password tip, pairing strong passwords with two-factor authentication reduces risk by 99.9 per cent,” Ivanyuk added.

Dos for stronger passwords

Use long passwords of at least 12 to 16 characters

Include a mix of upper and lowercase letters, numbers, and special symbols

Use passphrases by creating a memorable phrase with random words, add symbols or numbers

Enable two-factor authentication to add extra layer of security

Use password managers to generate and store complex, unique passwords for each account

Update passwords periodically, especially for sensitive accounts

Don’ts while creating passwords

Don’t use common words, sequential numbers or predictable patterns like ‘123456’ or ‘password’

Don’t reuse passwords to prevent a breach on one account from compromising others

Don’t rely on personal information like names and birthdays

Don’t use passwords shorter than 8 characters