Passwords & Account Security



Want to stay safe online? This article contains useful information about avoiding risks, reacting to stolen/hacked accounts and some useful advice on how to pick a good password that's easy to remember and is still secure.


Originally Published: 30th of March, 2014
Last Updated: 30th of March, 2014


Avoiding Risk

  • Do not use one password for multiple accounts - at a minimum you should have a separate passwords for any important online accounts such as bank accounts & emails. If one of your passwords becomes known, you must assume all other accounts using that password is now compromised.
  • Use strong passwords – To avoid the risk of someone hacking into your accounts through guessing you password, using a brute force or dictionary attack - you need to have something more than 8 characters long, impossible to guess, using number or symbols, and is not a commonly used password such as “[email protected]”. The longer the password and more complex, the harder it is for a hacker to break in.
  • Do not share passwords or write them down – Do not share your password, even with people you trust, most account hijacking comes from people you know. Always keep passwords personal.  If you do write them down, avoid doing so anywhere they would be found, and make sure they are not labelled as accounts/passwords.
  • Only use trusted & secure recovery emails or phone numbers – If you do decide to set a recovery email make sure the account you specify is very secure, as if a hacker gains access to your recovery account they could gain access to your website accounts.
  • Be cautious of callers who claim to be from Microsoft or Other large companies – They will try to gain information & passwords by pretending to be a representative of a large company who wants to help you remove a virus or give you free software.


Reacting to an Account Being Stolen/Hacked

  • Stay Calm – Often you may suspect your account has been hacked, when in fact you're just using the wrong password or you have made repetitive mistakes entering it in.
  • Contact your Bank (if applicable) – If the accounts are online banking accounts or associated your bank, contact your bank first and let them know to avoid financial loss.
  • Change your passwords straight away – If you manage to gain access to an account that was locked, change your password first, and make sure to use a new password you have never used before. If multiple accounts have been hacked your email/s should be the first account you change passwords on.
  • Change all your passwords – Assume everything is compromised and make sure to change all your passwords at once, leaving some accounts still accessible by hackers could allow them to regain access to other accounts you have changed since.You should generally start with your email account passwords.
  • Report your issues to the websites you use (if possible) – If you’ve had a very bad hack, the first thing you want to do is verify that you are who you say you are to the company running websites you use. Often hackers use “Social Engineering” (pretending to be someone else) to gain access to your accounts or to trick you into giving them information.


Best and Worst Passwords

The trick to good passwords is picking ones that are hard to guess but easy for you to remember. This is done by:

  • Making it complex and long - so computers cannot 'brute-force' guess your password, the longer the better.
  • Making it have some relevance to you or the account - without being obvious and easy to guess.
  • Not Using the same password across all accounts - If one website leaks your one password, suddenly a hacker has access to all your accounts.

Though more passwords is always better, We recommend a bare minimum of at least 3 passwords across your accounts.

  • Any account that is very important to keep secure (such as online banking) should have their own unique password that you do not use anywhere else.
  • Your email should also have it's own unique password as when a hacker gets access to this they can use it to "reset" your passwords from your other accounts.
  • A password to use for unimportant things and sites.

If it wasn't so impracticable we'd recommend a different password for every account.


How to think up (and remember) a good password.

Believe it or not, many people struggle to make a good password, and there is a bit of miss-information about the best kinds of passwords. As the web comic below from XKCD points out, the typical "strong password" such as "Tr0ubdor&3" is not only harder to remember, but easier for a computer to guess compared to "Correct Horse Battery Staple".

XKCD Comic about password strength.
 [XKCD: Password Strength]


The reason why this is true in theory is due to password length. The longer the password, the more combinations a computer has to guess to find it. If a password is long, and you are the only person in the world who thought to use it, chances are it's very very secure. Modern password crackers have learnt to run through lists of common words and passwords which is why using something someone else uses is generally not a good idea. We'd recommend creating a password by using 2-4 words that are relevant to you and uncommon (such as nicknames, specific places, made-up words, or combinations of two words) string them along and add at least 2 numbers and 1 symbol just to make it that much more secure, if you're aloud to use spaces, use them and make your password a pass-phrase!

For example:  apple!rabbit!blargness55. It's long, easy enough to remember and insanely hard for a computer to guess. (Do not use this example, make up something relevant to you.)


Common Passwords you Should Never Use

Here are some of the most common (and insecure passwords):
password, 1234567, abc123, qwerty, monkey, letmein, dragon, baseball, iloveyou, master, shadow, football, jesus, michael, ninja, mustang, Trustno1, adobe123, admin, sunshine, azerty, oooooo, and anything similar to the previously listed passwords.

Other types of passwords that are extremely common include:

Sports Teams, Birthdays, Personal Names, Relative Names, Pet Names, Places of Birth or anything else that could be guessed by someone who knows you.