Password apathy is costing Kiwis millions

A simple change to password behaviour could save New Zealanders millions of dollars says CERT NZ, the government agency which supports organisations and individuals affected by cyber security incidents.

7 April 2021

In 2020, Kiwis lost almost $17 million through cyber attacks. In some cases this financial loss was due to poor password practice, like weak passwords or reusing passwords across multiple accounts.

A well known password manager service  cited ‘123456’, ‘picture1’, ‘password’ and ‘12345678’ as some of the most commonly used passwords in 2020.

“Attackers use software that automatically tries the most common passwords against accounts, and using these sorts of passwords makes it easy for the attackers to find their way in”, says CERT NZ Director, Rob Pope.

According to research conducted by CERT NZ and Consumer Protection, only 41% of Kiwis3 say they always make sure their passwords are distinct, long, and complex when signing up to new websites or online services.

Therefore, CERT NZ is running an education campaign this month to help New Zealanders improve their password practice with passphrases:  

Password perfect

It’s important that passwords for online accounts are long, strong and unique. That means they need to be more than 15 characters and each account has a different password. It can be difficult coming up with good passwords every time, but there are proven methods that make this easier.

“Using a passphrase, a mix of four or more random words, is one way you can use a long, strong password that’s easy to remember, but difficult for an attacker to crack.

“For instance, look around you and come up with four random things - like ‘bananamousebookwindow’. This would take password cracking software approximately three billion years to guess, but is much easier to remember than the usual complex passwords which are a mix of symbols, numbers, letters.”

Password apathy is a concern according to research undertaken by CERT NZ. In 2020, after experiencing a cyber security incident only 31% of Kiwis changed their password on an important online account, like online banking or email.

“If someone has been able to log into your accounts without your authorisation, you should change your password straight away, and your passwords should be like snowflakes — unique,” says Mr Pope.

One of the biggest threats to your online data security is using the same password across a number of accounts. This means if an attacker gets access to one of your accounts, they’ve got access to them all.

“It’s easy to think that you don’t have anything online that anyone else would want, and no-one’s going to go to the effort of figuring out your passwords.

“Most cyber security attacks are opportunistic rather than targeted. Attackers look for easy ways to gather personal information online, like through weak passwords, to use your details to create fake accounts in your name and then steal from others. 

CERT NZ recommends using a password manager to securely store unique passwords for each of our accounts.

“People have so many accounts nowadays, so it can be hard remembering passwords to all of them. That’s where a password manager comes in. It’s like putting your passwords in a safe that only you have the key to.”