11 Apr 2021

CERT NZ calls for an end to password apathy

9:00 pm on 11 April 2021

What are the first four things you see when you look around? Those items mashed together could be the best password you ever create, according to the government's cyber security agency.

no caption

File photo. Photo: 123RF

In 2020, New Zealanders lost almost $17 million through cyber attacks. In some cases this was due to poor password practice, like weak passwords or reusing passwords across multiple accounts.

Password manager service Nordpass, in partnership with a third party company specialising in data breach research, evaluated 275,699,516 passwords leaked during 2020 data breaches and found "123456", "picture1", "password" and "12345678" were some of the most common.

CERT NZ director Rob Pope said most cyber security attacks were opportunistic, rather than targeted, and an easy way to access information was through a weak password.

"Attackers use software that automatically tries the most common passwords against accounts, and using these sorts of passwords makes it easy for the attackers to find their way in.

"Using a passphrase, a mix of four or more random words, is one way you can use a long, strong password that's easy to remember, but difficult for an attacker to crack.

"For instance, look around you and come up with four random things - like 'bananamousebookwindow'. This would take password cracking software approximately three billion years to guess, but is much easier to remember than the usual complex passwords which are a mix of symbols, numbers, letters."

CERT research found only 41 percent of New Zealanders created distinct and complex passwords and only a third changed their password on an important account - like online banking - after experiencing a cyber security threat.

"If someone has been able to log into your accounts without your authorisation, you should change your password straight away, and your passwords should be like snowflakes - unique," Pope said.

CERT recommends using a password manager to securely store unique passwords for each account.

"People have so many accounts nowadays, so it can be hard remembering passwords to all of them. That's where a password manager comes in. It's like putting your passwords in a safe that only you have the key to."

Last week, NY Times lead technology writer Brian X. Chen also urged readers to ditch Chrome, Safari and Microsoft Edge in favour of using private browsers like Brave, due to privacy concerns.

Tech correspondent Helen Baxter spoke to Sunday Morning about the private browser Brave, which she has recommended before.

"It's particularly interesting at the moment because of the news about the amount of data that's collected by Chrome and is connected to user and device IDs," she said. "So it's not anonymised data it's data that can actually track you."

Brave doesn't track your activity and is said to be three times faster than Chrome.

Get the RNZ app

for ad-free news and current affairs