Kiwis urged to get 'Big Password Energy' by Government cybersecurity agency CERT NZ

An illustration of passwords
Four-word passphrases are much more secure than people might think. Photo credit: Getty Images

Government cybersecurity agency CERT NZ is urging Kiwis to ditch easy-to-crack passwords with the launch of its new 'Big Password Energy' campaign.

The agency says passphrases are both a better way of securing accounts while making the passwords easier to remember.

"While the campaign is fun and a bit tongue-in-cheek, the reality is serious," said Sam Leggett, senior analyst of threat and incident response at CERT NZ.

"Too many New Zealanders use easy-to-crack, short passwords and often they use the same passwords in multiple places. Because of this they're at real risk of having their online accounts broken into by cyber attackers."

Leaked passwords may also be more common than people think.

The UK's National Crime Agency found hundreds of millions of leaked passwords online last year, while websites such as 'have I been pwned?' have popped up to allow anyone to check if their credentials have been shared.

Too many Kiwis still use common passwords across more than one account, according to VPN provider NordVPN.

The provider found '123456' was the most commonly used password in Aotearoa, followed by the likes of 'iloveyou', 'password' and 'abc123' - making them even easier to crack.

"Our research has shown that many New Zealanders view password security as not that important, and too many kiwis put cyber security advice in the ‘too hard' basket," Leggett said.

"Big Password Energy is designed to simplify the advice and show people how easy it can be."

The campaign is aimed specifically at New Zealanders aged 18 to 34, CERT NZ said.

"We know from our research that this group is highly confident online but less likely to take steps to protect themselves," Leggett continued.

"It's a demographic that experiences a higher-than-average amount of cyber attacks and are more likely to be the victim of scams – particularly those involving social media or their online profiles.

"Despite this, only half of them will use strong passwords, and two thirds will use the same password for multiple accounts."

Attackers and scammers use sophisticated tools to hack into accounts, steal money, scam people or use private information for blackmail purposes.

Leggett said the campaign introduces the idea of passphrases through humour as a way of engaging the demographic in creating better and longer passwords.

A passphrase is a string of four or more random words, with the more characters a password has the harder it is to crack.

A simple short password like 'Mittens96' could take attackers just seconds to brute force, CERT NZ said, while a passphrase like ‘MyPerfectlyTrimmedHedge' would take centuries using the same method. 

"Big Password Energy shows how just choosing things from around you can make a great password."

The agency also suggests using a password manager. Those pieces of software store and manage passwords and means only needing to remember a single passphrase.

CERT NZ's overall advice for passwords:

  • Use a different password for every online account you have
  • Make your password long and strong
  • Don't use personal information to create your passwords
  • Keep them safe.