Poor passwords costing Kiwis millions

File Image. SunLive.

A simple change to password behaviour could save New Zealanders millions of dollars according to one government agency.

CERT NZ, which supports organisations and individuals affected by cyber security incidents, is suggesting that poor password practice could be costing Kiwis.

In 2020, Kiwis lost almost $17 million through cyber-attacks, according to CERT NZ’s 2020 Annual Report. In some cases this financial loss was due to issues such as weak passwords or reusing passwords across multiple accounts.

A well-known password manager service cited ‘123456’, ‘picture1’, ‘password’ and ‘12345678’ as some of the most commonly used passwords in 2020.

“Attackers use software that automatically tries the most common passwords against accounts, and using these sorts of passwords makes it easy for the attackers to find their way in,” says CERT NZ director, Rob Pope.

According to research conducted by CERT NZ and Consumer Protection, only 41 per cent of Kiwis say they always make sure their passwords are distinct, long, and complex when signing up to new websites or online services.

Therefore, CERT NZ is running an education campaign this month to help New Zealanders improve their password practice with passphrases.

They state that it’s important passwords for online accounts are long, strong and unique. That means they need to be more than 15 characters and each account has a different password. It can be difficult coming up with good passwords every time, but there are proven methods that make this easier.

“Using a passphrase, a mix of four or more random words, is one way you can use a long, strong password that’s easy to remember, but difficult for an attacker to crack,” says Rob.

“For instance, look around you and come up with four random things, like ‘bananamousebookwindow’. This would take password cracking software approximately three billion years to guess, but is much easier to remember than the usual complex passwords which are a mix of symbols, numbers, letters.”

Password apathy is a concern according to research undertaken by CERT NZ. In 2020, after experiencing a cyber security incident only 31 per cent of Kiwis changed their password on an important online account, like online banking or email.

“If someone has been able to log into your accounts without your authorisation, you should change your password straight away, and your passwords should be like snowflakes, unique,” says Rob.

He warns that one of the biggest threats to your online data security is using the same password across a number of accounts. This means if an attacker gets access to one of your accounts, they’ve got access to them all.

“It’s easy to think that you don’t have anything online that anyone else would want, and no-one’s going to go to the effort of figuring out your passwords.

“Most cyber security attacks are opportunistic rather than targeted. Attackers look for easy ways to gather personal information online, like through weak passwords, to use your details to create fake accounts in your name and then steal from others.”

CERT NZ recommends using a password manager to securely store unique passwords for each of our accounts.

“People have so many accounts nowadays, so it can be hard remembering passwords to all of them,” Rob states. “That’s where a password manager comes in. It’s like putting your passwords in a safe that only you have the key to.”

More information about improving your password hygiene and understanding password managers is available on CERT NZ’s website.

More on SunLive...
1 Comment
You must be logged in to make a comment. Login Now

All very well and good

Posted on 07-04-2021 23:55 | By Captain Hottie

With regards to pass phrases, that’s what I use and they are so much easier to remember. However a lot of sites still insist that you have 1 capital letter, 1 punctuation mark, 1 number and the password be about 15 digits long! And they are usually the ones that you can’t ’peek’ at while typing, so if you type the wrong digit you’re really up it without a paddle. And if these sites need such a fiddly password, why don’t they ever remind you to change them every 3 months? Websites and app developers really need to shoulder some of the blame for password laxity.