Managing risk 

Passwords: prevent cybercriminals from guessing yours

A report has found that attacks where hackers try to guess your password through trial-and-error are on the rise. Here's how to protect yourself and your business.

Take a moment to think of all the passwords you have and what they allow you access to – your bank accounts, your email and other private financial information.

Now, think about those passwords. Are they complex? Single words or just phrases? Do you have the same one for many?

Finally, imagine that someone is trying to guess those passwords right now, using special hacking software. They might have been trying for some time and be getting close to gaining entry to your system.

It’s more likely than you might think. This is what is called a brute force attack, where someone repeatedly tries to guess a password through trial-and-error. The share of brute force attacks has skyrocketed from 13% to 31.6% of all attacks, perhaps due to the pandemic and the boom of remote working, according to a recent report from internet security company Kaspersky, based on data collected from their own clients. Kaspersky’s Incident Response Analytics Report  also says that in 63% of attacks, adversaries used password brute force and vulnerability exploitation as initial vectors to compromise an organisation.

Unsophisticated – but effective

These brute-force attacks are often unsophisticated, but they work – one even managed to target Parliament House earlier this year. 

There are a variety of methods used to find passwords, often using special software. This includes ‘dictionary attacks’ where hackers go through lists of common passwords and combinations. 

And, once a hacker has your password for one site, then they can try the same password for others – which is concerning when you think that research has shown that 69% of Australians mostly or always use the same password or a slight variation.

A robust password policy

The Kaspersky report also says that having a robust password policy will reduce the likelihood of being attacked by 60%, and the company recommends having one in place.

“Even if the IT security department does its best to ensure safety of the company’s infrastructure… protective measures alone can’t provide holistic cyber defense,” says Konstantin Sapronov, head of global emergency response team at Kaspersky.

Some of the elements of a robust password policy include:

Multi-factor authentication

Cyber Security Expert Kate Carruthers, chief data and insights officer at UNSW, recently told My Business that multi-factor authentication was one of the most important cyber security protections. This method involves having two steps to log in – such as entering a password, then verifying the login attempt through another device or a code that’s sent to your phone or email. The best thing about this is that even if someone does crack your password, or a supplier or client, they still cannot get into your system.

Password phrases

With attackers more easily able to guess shorter passwords, using password phrases is a good measure. The Australian Cyber Security Centre says to make your passphrases four or more random words, of at least 14 characters in total.

Password managers

A password manager – which makes and stores complex passwords – is also important for preventing cyber attacks including a ransomware attack. In particular, it will help businesses avoid the problems mentioned above around the re-use of passwords, and also making passwords that are harder to crack.


Explore our next-gen cyber training and resources to defend against online threats to your business. Plans start from only $10/month.

Found this useful?

Subscribe to our newsletter and receive the best business tips and articles straight to your inbox.

Thank you for signing up to our newsletter. You're one step closer to receiving more insightful information to help better your business.

We take your privacy seriously and by subscribing to our newsletter you agree to the terms of our Privacy Policy available below.