Do you know the risks of having a weak password? Using weak and simple passwords can help enable fraudsters to gain unlawful access to your online accounts, often resulting in financial losses and identity theft.

As more major security and data breaches occur, many Australians are now affected by potential losses of personal information causing us to reflect on our own cybersecurity practices and how safe we feel from threats such as identity fraud. Even if passwords are not compromised during a data breach, the use of weak or recycled passwords for online accounts can leave people vulnerable, making them an easy target for scammers later on.

What is a weak password?

A weak password is typically short in length, and may use a common phrase or personal detail that can be easily guessed such as a date of birth or name of a pet. Weak passwords can also be system default passwords that haven’t yet been changed, or passwords that have been used repeatedly across various accounts. If hackers already have information on a victim (obtained from a separate data breach), then they can easily deduce the password if it contains personal information.

Research conducted by CyberNews found 123456 to be the most common password used in 2023, with the word password coming in close behind as the fourth most commonly used password globally.

Cybercriminals take advantage of poor cybersecurity practices

According to a 2021 global report by Help Net Security on cybersecurity and online behaviours, approximately a quarter of online users choose to use a simple password for their accounts. Choosing easy to guess or obvious passwords may leave your online accounts susceptible to cyber-attacks with hackers purposely targeting accounts with weak passwords to gain quick and easy access, often leading to severe consequences. Weak passwords provide an easy avenue for cybercriminals to exploit. They can use this information to launch further attacks or sell the credentials for profit on the dark web. When passwords are simple, common, or too short, hackers can quickly crack them with automated tools. A password containing less than eight characters can be compromised in a matter of seconds.

What can happen when a password is compromised?

Cybercriminals rely on weak passwords to break into the accounts of unsuspecting victims. After they’ve acquired stolen credentials or gained unauthorised access to an account, cybercriminals may transact fraudulently, causing widespread financial loss to their victims. And it’s not just financial gains cybercriminals seek. Scammers may hack into an account for the purpose of identity theft to impersonate them for loan or credit applications, create fake social media accounts, or money laundering and other criminal acts. The damage caused by these scams can have a snowball effect, creating further implications than just personal accounts being compromised. It doesn’t take long for someone to be financially impacted, as well as psychologically affected as scams often leave their victims feeling intimidated and stressed by the experience.

For businesses, a compromised password can result not only in huge financial losses but severe reputational damage. Small businesses especially can be an easy target for cybercriminals as they may not have sophisticated I.T systems to help protect them. When cybercriminals target small businesses, the damage can be catastrophic as both business owners and customers potentially fall victim to scams.

Case Story: $8,000 lost due to weak password

Ms. Jones* owns a beauty salon in Brisbane and was the unfortunate victim of a cyber-attack which resulted in her customers being charged thousands of dollars for appointments they never had. Ms. Jones used a popular third-party app to manage her customer’s bookings. When Ms. Jones started to receive notifications from the app that her password had been changed (that she had not initiated), she began to suspect she had been infiltrated by a hacker. Her fears were confirmed when money mysteriously began to disappear from her bank account and she began to receive taunts from the cybercriminals claiming that they had access to her emails, phone, and her computer. The hackers took control of Ms. Jones booking app, changing her listed bank details and debiting over $2,000 from Ms. Jones’ credit card. A further $6,000 was stolen from her customers.

Ms. Jones quickly informed her bank and local authorities of the scam, and monies were refunded after reporting the suspicious transactions however the reputational damage to her business was costly as customers now lost faith and trust in being able to transact safely. Ms. Jones was also required to cancel her credit cards, and reset direct debits attached to the app.

Frighteningly, Ms Jones problems all began with an insecure password and not using multi-factor authentication to access the booking management app. The app itself was not compromised and was not involved with any security breach, but the hackers had unlawfully gained access to Ms Jones email and from there they were able to access and reset login credentials for other accounts, including her salon’s booking app which enabled the hackers to make fraudulent transactions. Using a complex passphrase and the app’s multi-factor authentication security measures would have helped to prevent this attack from being possible.

How to avoid using weak passwords

It’s important to use complex passwords or passphrases to help keep your online accounts secure. An encrypted password manager can help those who are worried about forgetting their passwords as they can create random, strong and unique passwords – and then store them securely. In addition, it’s important to use multi-factor authentication to add an extra level of protection and to help keep your account secure in the event your password is compromised.

Passwords should be changed regularly or as soon as you receive a data breach notification. Try to avoid reusing passwords for multiple accounts, and never share your passwords with anyone!

If you believe that someone has accessed your bank accounts without your authorisation or you don’t recognise a transaction on your account, please contact us immediately on 13 61 91.


*name changed to protect identity


06 June 2023