Passwords for business

Passwords and PINs are used to identify who you are. Sometimes they are the only defence to protect your organisation’s information against unauthorised access.

If a password or PIN is captured, guessed or stolen an attacker can potentially:

  • send emails from your accounts
  • withdraw money from your bank accounts
  • steal your intellectual property
  • change files on your computers, or
  • pretend to be you or someone representing your business.

Passwords and PINs should be a secret known only to you or the people in your organisation who need them. Strong passwords are difficult to guess and should be:

  • greater than 10 characters long
  • a mix of upper and lower case letters, numbers and other symbols.

Do not include:

  • recognisable words or names, in any language
  • repeated characters
  • personal information
  • anything you have previously used.
Weak passwords are easy for a criminal to guess. Criminals use automated software that can guess thousands of passwords per minute.

Remembering complex passwords

Remembering complex passwords can be tough. But if you prioritise what needs to be protected in your business, you can apply the most secure and complex passwords to the accounts that need the highest level of protection.

Use password tiers

Password tier

Account risk Account types Action

Tier 1

High risk accounts
  • Banking
  • Online payments
  • Social media

Use unique and complex passwords

Tier 2

Low risk accounts
  • No confidential information
  • No valuable information
  • Newsletters, catalogues
Less complex passwords are required

Use a password manager

You can also consider using a password managing application. It will generate and remember super secure passwords for you and some will sync between your devices. The downside is that if the password manager is breached, all your information is accessible.

How to make passwords easy to remember

There are some strategies you can use to make secure passwords easier to remember. For example, think of a pass phrase and then change some of the characters to make it a strong password. Such as:

  • 'June School Holidays' can be modified to 7un3Schoo1Ho!idays.
  • 'I like Australian red wine' can be modified to Ilike0zzieR3dwine.
  • 'Be good, be wise' can be modified to B3g00db3wi5e$.

It is better to create and use a strong password, write it down and keep it safe than to use a weak password.

Using strong passwords lowers overall risk of a security breach, but strong passwords do not replace the need for other effective security controls.

Maintain password and PIN hygiene to keep them safe

  • Don't use the same password for multiple services or websites.
  • Don't share your passwords with anyone.
  • Don't provide your password in response to a phone call or email, regardless of how legitimate it might seem.
  • Don't provide your password to a website you have accessed by following a link in an email – it may be a phishing trap.
  • Be cautious about using password-protected services on a public computer, or over a public wi-fi hotspot.
  • Change your passwords regularly, at least every three to twelve months. If you think your password may have been compromised, change it immediately and check for any unauthorised activity. If the same compromised password has been used on another site, create a new password there as well.

Treat PINs in the same way you would a password

  • Don't use obvious patterns like 1234, 4321 or 7777.
  • Don't use postcodes, birthdays or other significant dates and numbers.
  • PINs should be a random mix of numbers, letters and characters.