Password Security

Know Everything About Password Security? It’s Time for a Rethink

As organisations continue to struggle with the issue of password security, many of the old assumptions are being re-examined.

If you make one cybersecurity-related resolution this New Year, commit to re-thinking your organisation’s password controls by considering some of the latest advice.

Passwords are the front line in your battle against cyber-attacks. Hackers rely on a variety of tactics to dupe people into revealing their passwords. So, it’s critical you have the right systems and policies in place.

Here are 6 TIPS to ensure your organisation’s passwords remain secure:


1. The Longer the Better

As a general rule, the longer the password, the more secure it is.

Therefore, it is best to advise your staff to opt for a passphrase rather than simply a password.

According to Australian Government guidelines, passphrases should be made up of at least four words and be longer than 13 characters. Making the passphrase meaningful will make it easier to remember. It’s important passphrases are memorable so people avoid being forced to write them down or store them in other locations.

Furthermore, different passphrases should be used when accessing different systems or applications. Using the same passphrase for multiple purposes makes people vulnerable, as if the passphrase is compromised once, attackers may gain access to other systems or applications.

2. Complexity Isn’t Always Better

Many organisations require passphrases contain a combination of upper-case letters, lower-case letters, numbers and other symbols. The thinking behind these requirements is that the more complex a passphrase is, the harder it is to hack.

However, according to the most recent advice from NIST (America’s National Institute of Standards and Technology), overly complex passphrases are not always better for password security. 

NIST argues there is limited benefit in requiring overly complex passphrases. It has analysed breached password lists and found many examples containing complex combinations of characters. Mandating overly complex passphrases may be counterproductive by encouraging risky behaviour, such as writing down passphrases on a post-it note and sticking it on the computer monitor.

3. Don’t Change too Regularly

The latest advice from both the Australian Government and NIST is to avoid rules that require password changes every 30, 60 or 90 days.

This requirement may lead people to come up with insecure passphrases as they struggle to think of new ones so regularly. Rather, NIST’s current advice is to come up with a strong passphrase that can be easily committed to memory and kept in use for longer periods of time. NIST recommends passphrases should be changed if there is any suggestion of compromise.


Know Everything About Password Security?

4. Implement Multi-Factor Authentication

Wherever possible, require multi-factor authentication (MFA).

By requiring users to input something they know (such as a passphrase), alongside something they have (such as a one-time password or OTP), you’ll ensure unauthenticated access becomes much harder.

NIST advises that SMS messages are not used in MFA. This is to help prevent social engineering attacks in which a hacker may have convinced a mobile phone operator to redirect the victim’s mobile phone messages to the attacker.

It is preferable to use time restricted OTPs from an MFA app such as Google Authenticator.

5. Use a Password Manager

Installing a ‘password manager’ on your computer or mobile device can be a useful way to generate large numbers of passwords for use on multiple systems and applications, without having to memorise them all.

Just be aware that there have been cases in the past when ‘password managers’ have been compromised.

It is not recommended to store your most important passphrases, such as your email or online banking passphrases, in a ‘password manager’.

6. Implement Password Training for Staff

The Australian Government offers the following advice when it comes to password security: 

  • Don’t share your passwords with anyone;
  • Don’t provide your password in response to a phone call or email, regardless of how legitimate it might seem;
  • Don’t provide your password to a website you have accessed by following a link in an email—it may be a phishing trap;
  • Be cautious about using password-protected services on a public computer or over a public Wi-Fi hotspot;
  • If you think your password may have been compromised, change it immediately and check for any unauthorised activity. If the same compromised password has been used on another site, create a new password there as well.


Ensuring your staff are trained in password security best-practice needs to be an ongoing priority.

With Shearwater’s Phriendly Phishing and Keep Secure modules, your staff will receive ongoing training in how to identify phishing emails and the strategies they need to stay safe online.