According to the Notifiable Data Breaches Report, published in September 2024 by the Office of the Australian Information Commissioner (OAIC), 30% of data breaches were attributed to human error. In a cyber security context, human error means unintentional actions - or lack of action - by people that cause, spread or allow a security breach to take place. This includes failing to use a strong password.
In today’s post, we’ll look at the impact of weak password security and the measures that we at Interserv have taken to strengthen our password use.
What are the consequences?
Weak password security makes it easier for hackers to gain unauthorised access to your sensitive data. This can have flow on effects such as financial loss and, depending on what kind of information has been accessed or leaked, personal impacts such as reputational damage.
What makes a password “weak”?
There are a number of characteristics which make a password more susceptible to being hacked. Namely:
- Brevity - being shorter than 8 characters or less.
- Simplicity - not including a mix of uppercase, lowercase, numbers and special characters.
- Derived from personal details - for example, name or date of birth.
- Using common phrases - for example, "password" or "1234".
In 2023, NordPass mapped out global password habits by analysing 4.3TB of publicly available data. Their findings in Australia show the top 10 most common passwords and how long it would take for a hacker to guess them:
| Rank | Password | Time to Crack |
|---|---|---|
| 1 | 123456 | < 1 second |
| 2 | admin | < 1 second |
| 3 | password | < 1 second |
| 4 | 1234 | < 1 second |
| 5 | qwerty123 | < 1 second |
| 6 | 12qwsZX | < 1 second |
| 7 | 12345 | < 1 second |
| 8 | 12345678 | < 1 second |
| 9 | qwerty | < 1 second |
| 10 | Qwerty123 | < 1 second |
How can we make our passwords stronger?
At Interserv, we have adopted the following measures to help boost our password security.
1. Using passphrases instead of passwords
A passphrase is a sequence of random words. They are longer than a traditional password, are easier to remember and much more difficult to crack. For example, Frustrate-Episode-Playhouse3-Humble
The Australian Cyber Security Centre (ACSC) encourages the use of passphrases over passwords and provide the below principles for strong passphrases:
- Length – where you can, aim to use 4 or more random words, with at least 14 characters in total.
- Unpredictability – use a random mix of unrelated words rather than a sentence with correct grammar and placement.
- Uniqueness – if you can, use a unique passphrase for every valuable account. This makes each one less vulnerable.
2. Using a password manager
A password manager is a computer program which allows users to create, store and manage their passwords. There are different types of password managers available, with some freely accessible with certain web browsers. The ASCS provides guidance on choosing a reputable password manager, with key features being strong security and privacy features, as well as regular updates.
3. Using multi-factor authentication
Authentication is a method of having a person prove they are who they say they are before accessing a site, system or application. In the past, passwords were a common way of authentication, however they are becoming not as effective on their own. Nowadays multi-factor authentication is recommended as it requires more than one step to prove an identity and is therefore a stronger means of preventing unauthorised access. Multi-factor authentication consists of a combination of two of the following:
- Something you are (fingerprints, retina scans).
- Something you know (passwords).
- Something you have (hardware or a paired mobile app).
A common example of multi-factor authentication is a password and inputting a code sent to a mobile number or mobile app.
Interserv and its clients all hold sensitive data. With cyber threats such as data breaches on the rise, we understand the importance of remaining vigilant with client, company and our own personal information. Keeping our password game strong, as well as adopting strong security processes, helps us ensure we can keep our and our clients’ data safe.
