Security
 | 5 min read

Everything you know about passwords is probably wrong

By  Hilary Walton,
 6 May 2021

One of my children recently came to me boasting that they had thought of the best, most un-crackable password idea. Turns out it was ‘password’.

They also thought it would be brilliant to write it down on a post-it note and stick it on the wall of our home office, that way it wouldn’t be forgotten. It’s safe to say that I advised them it was not a smart idea and showed them instead how to find a strong, unique password.

Our brains aren’t wired right for passwords. More often than not we find ourselves using the ‘forgot password’ function and end up resetting our accounts with the same or similar passwords in an attempt to remember them next time.

Unfortunately, hackers have cottoned on to the fact we do this and are making the most of it. Often hackers don’t break into your network, they simply log in. If your password is weak, you’re at risk of a cybercriminal discovering it and using it to slip unnoticed into your systems and network.

It’s so important that we all take a moment to assess our password habits and get better password posture to reduce our risk of invasion.

Get better password habits

You may be surprised to hear that the age-old 8-character minimum password with a symbol, number and/or uppercase letter isn’t recommended anymore.

Kordia research shows that a third of Kiwis use the same password across work and personal accounts when logging into apps, computers or websites. It also showed that only half of businesses think their employees understand good password practice.

The new aim of the game is long and strong passwords. More than 14 characters and ideally a series of words or a phrase is best. For example, the combination ‘bookwallpapertablecoffee’ would take 7 quadrillion years for a cyber criminal’s password software to discover.

In comparison, ‘bookwallpaper’ would take a year to crack and ‘bookwallpapertable’ would take 23 million years. Random words based on your surroundings can be highly effective – and there’s no need for numbers, symbols, or strategically placed uppercase letters!

However, no matter how complex your password is, it’s useless if you’ve used it across multiple accounts.

Don’t sleep on password managers

Lists of compromised email addresses and passwords from large-scale breaches have been leaked online or even sold on the dark web. If one of your accounts has been compromised and you use the same password and login email across different websites, a hacker can easily reuse credentials to log in and steal your data.

I doubt you can count the number of accounts you’ve created in your life for various apps and websites. That’s why a password manager is vital.

A password manager such as LastPass, 1Password, or even an iPhone’s KeyChain function like an old address book did. It stores your username and password combinations for websites and can even automatically log you in to each website. Then you only have to remember one unbreakable password and the manager does the rest for you.

There's no harm in re-wiring your password habits. While you may not have been a target before with your password of '123456', hackers are constantly trying to log in and you shouldn't be surprised if you're next.