As Australians put more and more of their lives online, security is more important than ever, but World Password Day research reveals that people continue to make the same dangerous mistakes when choosing their passwords.
Most Australians created a range of new online accounts during lockdown, from food delivery apps to the latest streaming platforms. Choosing a long, complex and unique password for each is one of the best things people can do to protect their online privacy and security, yet 42 per cent of working Australian adults use the same password across multiple accounts, according to Proofpoint research.
A quarter of Australian respondents rotate between of five to 10 passwords, while 17 per cent only use the same one or two passwords for all their online accounts.
One of the most dangerous mistakes that people make is reusing the same login or email address and the same password across multiple sites and devices, says Proofpoint senior director Adrian Covich. It one account in hacked, the others become vulnerable.
“Password reuse is exacerbated by the increasing volume and success rates threat actors are reaping with advanced credential phishing campaigns that use fake websites resembling the login page of a legitimate online service to steal usernames and passwords,” Covich says.
World Password Day on May 5 is a timely reminder for Australians to choose their passwords more carefully. It is important to avoid common words, phrases, names and dates associated with you or your direct family members. Attackers can easily cross-reference this kind of information to find the correct combination to break into your accounts.
People should change their personal passwords twice a year, Covich says. Business passwords should be changed every three months, with an automated policy in place which places a deadline on refreshing passwords.
While some advice emphasises the importance of complex passwords, with capitalisation and special characters, the length of a password is the most critical factor, says Tyler Moffitt, Senior Security Analyst, OpenText Security Solutions.
“The longer your password is, the stronger it will be. While there are parameters of 8-characters minimum, you can crack this code easily,” Moffitt says.
“To create long passwords and protect your SMB, employees should use phrases and incorporate spaces, since every character you add – whether that be a letter, number, space or special character – is an exponential increase in security.”
Thinking beyond passwords on World Password Day
The difficulty in juggling a wide range of logins and passwords can encourage people to use simple, easy-to-remember passwords and leave themselves at risk. The answer is to upgrade to a password management application or service, which relies on one strong master password.
Services like LastPass or 1Password can remember and automatically enter multiple logins and passwords. They can also generate new strong passwords.
Two-factor authentication (2FA), also known as Multi-factor authentication (MFA), is another important tool for securing access to online accounts. It offers an extra layer of security, which helps keep out attackers even if they discover your login and password, says Tesserent chief information officer Michael McKinnon.
“With global cybersecurity challenges evolving, passwords as a sole protector are no longer enough, and haven’t been for a while,” McKinnon says.
“One-time password generators, biometrics and multi-factor authentication are all mature technologies that rely on established standards that can be leveraged by organisations to protect their valuable information assets.”
Enabling 2FA means that, when logging into a service such Gmail for the first time on a new device, users also need to enter a one-time security code. This code might arrive in a text message, or come from a smartphone app such as Google Authenticator.
This way, users can only access their account if they know the login and password, and they also have their phone at hand. After this, they can often mark their own devices as “trusted”, so they don’t need to enter a code every time they login from their own computer, smartphone and tablet.