Change Your Password Day

Change Your Password Day is Thursday 1 February. It’s a good reminder to review your passwords and make sure they’re good ones.

A good password is:

  • UNIQUE – that is, a different password for every account you have
  • LONG – at least 12 characters, longer is better
  • Supported with two-factor authentication (also called 2FA, multifactor authentication, two-step verification and similar)

And if you use good passwords, you don’t need to change them every year! See

Why unique?

Data breaches, like the Optus, Medibank and Latitude Financial ones, are more common than we realise. When the ‘bad guys’ steal passwords from one site they use these passwords to try to login at other sites. This is called ‘credential stuffing’. There has been a lot in the news lately with people losing money at The Iconic as a result of credential stuffing.

If your passwords are unique, credential stuffing doesn’t work.

Why long?

Long passwords are harder for the ‘bad guys’ to break. Websites ‘hash’ passwords rather than store them in plain text – hashing is a one-way sort of encryption. Hashes of eight-character or shorter passwords can be broken in minutes or less, with current technology. Since the technologies are getting faster all the time, 12-character passwords are currently thought to take too long to break.

Passphrases are better

These days, security gurus recommend passphrases rather than the random passwords of the past. A passphrase is a set of four or five unrelated words – possibly modified to include upper and lower case letters, numbers and special characters as needed. The classic passphrase is correct–horse- battery-staple made famous in this cartoon. [Don’t use that one!]

Passphrases are inherently long. They still need to be unique as well.

Check if your passwords have been breached

Go to Have I Been Pwned (a website run by Australian security guru Troy Hunt), put in your email address and see which breaches you’ve been involved in. While you’re there, register your email address at Notify Me in the menu to be warned if you are involved in a future breach.

If you find yourself in a data breach, change the password for that site urgently – and any other sites where you used the same or similar password.

How do I create a new passphrase for each site?

Here’s an easy suggestion that will give you a safe passphrase.

  1. Decide how many words you are going to use in your passphrase. Four or five is best.
  2. Pick up a book with lots of words in it – any book is fine. For each word in your passphrase:
    • Open the book at a random page
    • Pick a random word on the page (avoid ‘the’, ‘and’ and similar filler words)
    • Write it down.
  3. Now that you’ve chosen your words:
    • string them together perhaps using a special character such as a full stop or hyphen as a separator
    • make at least one letter an upper case (avoid the first letter)
    • put a number somewhere in the middle
  4. Test that the website will accept your passphrase. If it’s too long or there is some other problem, modify your passphrase to suit.
  5. Write your passphrase down in your password book, along with the name of the site (and your user ID if it’s different from your normal email address) so you will remember it.

How do I remember all these passwords / passphrases?

Security gurus recommend using password manager software. But if you only have a few online accounts manually writing your password into a password book is fine – as long as you store it safely where it won’t easily be found!

Helen Smith
Computer Class Leader

<- Previous

Next ->