Best Practice. How to choose passwords

Most company data breaches – in fact over 80% – occur due to poor passwords. According to the Australian government authority, the Australian Cyber Security Centre, ‘weak passwords are easy for criminals to guess; by using automated software that can potentially guess 350 billion passwords per second!’ 

An attacker can potentially: 

  • send emails from your accounts 
  • withdraw money from your bank accounts 
  • change files on your computer such as invoices 
  • steal your identity. 

This article you will show you two simple and effective precautions that will help your businesses protect itself from the havoc caused by data breaches: 

  1. Using strong passwords and 
  2. Multi-factor Authentication  

Previously, complex passwords using a combination of upper and lower alpha-numeric characters  
were enough to make a password strong– these are no longer secure. If you haven’t changed  
your password for a while, the likelihood of your password  
sitting on the dark web increases significantly. 


1. Create a strong password in the form of a passphrase

The key thing to remember when creating a password is that the longer it is, the stronger it is!  
A passphrase is similar to a password but is generally longer for added security. 


What is a good passphrase? 

a) You want a passphrase that is easy to recall. A good mnemonic is to use patterns or combinations of words that you only know.  
For example: 
an animal + a fruit + an object + a colour = apepeachpencilgreen 
ortigerberryspoonpurple 

The two examples above demonstrate how you can design your own rules as to the combination of words that you will use to create a strong passphrase. So, each time you are prompted to change your password, all you need to do is apply the same combination of words in the pre-determined order that you have decided.  

In our example we generated passphrases by remembering: an animal + a fruit + an object + a colour 
The sky’s the limit with the combinations you decide to use, other examples are:  
a plant + a type of car + a type of bird + a number = grassToyotafinchonethousand 
a hot drink + a type of plane + breed of dog + element = cocoa747Labradorfire 
You get the idea!  

What’s important is that whatever combination you decide to use, it should be meaningful to you, so it’s easy to remember. 


b) The best passphrases should be long enough to make it impossible to guess.  

The key thing to remember when creating a password is that the longer it is, the stronger it is! 
With every additional character that you add to your password, the encrypted value can increase exponentially.  

For example: 
an 8-character long password ########  
is encrypted into 24 characters ######################## 

So, the encryption of a 16-character long password becomes exponentially larger and more complicated ###################################################################### 

###########################################################################################################################################################…. 

In our examples above, we created passphrases that varied in length, they were between 19 and 27 characters. 

WARNING: Be wary of sites that cap the length of a password.  

If a website restricts the length of the password, for example, up to 16 characters, this gives the attacker insight to the length of your password – making so much easier to hack.  
Also, avoid using passwords that you are using for other accounts – don’t make your details susceptible.   


c) Create passwords that are hard to guess by intuition—even by someone who knows you well. 

Even if someone can guess one part of your password, there is an even lower chance that an attacker can work out the other 3 words in a passphrase. 

TIP:Avoid the following in your passwords: 

  • Stay away from using a famous quotation from your favourite literature, movies, songs etc 
  • Don’t use numeric sequences like 1234, 4321 or repeated characters 7777 
  • One good password practice is spreading numbers and symbols throughout the password instead of bunching them together, which makes it easier for the password to be hacked. 
  • Refrain from Using single dictionary words or anything you have previously used. 
  • Sophisticated hackers have programs that search through tens of thousands of dictionary words. Instead opt for random passwords. 
  • Steer clear from the obvious – so don’t use personal information such as your street address, postcode, birthdays, child’s name, pet’s name, significant dates or other numbers. 

WARNING: If you think your password may have been compromised, change it immediately and check for any unauthorised activity. If the same compromised password has been used on another site, create a new password there as well. 


d) Use different passwords for different accounts services and websites 

Although it can be tempting to use the same password for every account, this makes it so much easier for hackers to break into a multitude of accounts. Diversify your passwords by using a different password set for the different types of sites, applications, and sources that you use. 

Consider using password tiers:  

Source: https://www.staysmartonline.gov.au/Protect-yourself/Doing-things-safely/Passwords-passphrases

TIP:Use a Password Manager to help keep your sanity  More and more businesses are using password managers as a means of practicing high levels of security. The advantage of using a password manager is that you only need remember one password – the password manager stores and even creates passwords for your different accounts, automatically signing you in when you log on. 


2. Multi-factor Authentication (MFA) 

A strong passphrase can only do so much to provide protection for your account. Multi-factor authentication is the next layer to help keep accounts and data safe from hackers.  

Multi-factor authentication (MFA) simply means there are a combination of two or more checks in place to prove your identity. An example is a code sent to your mobile phone to verify your credentials.  

So as an example, if your bank password was hacked and you had MFA activated on your account, the hacker still couldn’t gain access – they would need both levels of authentication. MFA ensures your accounts are protected even if your password is hacked, meaning the external person is prevented from accessing your systems and accounts. 

TIP: Secure your mobile phone 
With the growing use of mobile phones to conduct business, mobile devices are becoming a major cause of concern. Protect your phone and other mobile devices from hackers by securing your phone with a strong password – or better still – use fingerprint or facial recognition passwords to outsmart hackers! 


What else you can do to outsmart a hack  

Always check a website’s security by looking at the security status to the left of the web address 

So, what do these symbols mean?  

The Information you send or get through the site is private.

However, even if you see this icon, always be careful when sharing private information. Look at the address bar to make sure you’re on the site you want to visit. 

The site is not using a private connection.  
Someone might be able to see or change the information you send.  

TIP: On some sites, you can visit a more secure version of the page using HTTPS connection security: 

  • Select the address bar 
  • Delete http:// and enter https:// to create a more secure site for your data. 

WARNING:  Do Not enter any private or personal information on this page. If possible, don’t use the site at all! 

Not secure: Something is severely wrong with the privacy of this site’s connection.  
You might also see messages such as: Login Not Secure or Payment Not Secure

Dangerous:  Avoid this site – you are putting private information at risk.  A full-page red warning screen means the site has been flagged by Safe Browsing. 


alltasksIT are committed to protecting the integrity and safety of your network. The goal of this article is to help you avoid potential cyber threats, so that you, your customers, and suppliers can continue to work and grow together.  

We believe prevention is better than cure. 

Please contact us if you need further help with designing your internal security policies and to implement end-user procedural and compliance practices.