DIM-10-02 Password Risk Prevention

Password risk prevention

Passwords are the most common authenticator used for gaining access to online services. You can improve your security and minimise the chances of identity and information theft by effectively setting and managing your passwords:

Match password complexity and uniqueness to the level of risk

Consider always the risk of using a ‘common’ or the same password for multiple services. What is the ‘spill over’ risk should someone gain access to a service access password for one service and then attempts being made to try gain access to other services with the same password.

Service Risk

Each application service presents a certain level of risk.

  • High Risk Services – involve financial and financial transaction services, as well as private personal information records
  • Medium Risk Services – may include services used for communicating. If someone else access your service they will appear as you, with reputational risk impact.
  • Low Risk Services – profiles used for convenience and typically only data may be service usage data, not confidential data.

Service Risk Levels drive password strategies

  • Always use complex passwords
  • Where possible, use two factor or multi-factor authentication (password and other authenticators) for high risk services.
  • Use unique passwords for each high and medium risk service.
  • You may use a shared and common password across multiple low risk services. There is a limited ‘spill over risk’ should access to additional low risk services be gained by a person other than yourself.

Complex Passwords

  • Use passwords of at least 8 characters
  • Do not repeat letters, numbers or symbols
  • Avoid series like ‘abc’ or ‘123’
  • Avoid passwords linked to a cycle, password1, password2 etc.
  • Mix upper and lower case characters
  • Add symbols into your password
  • Avoid common words
  • Avoid proper names and use of personal dates (birthdays etc)

If at any time, you are concerned that a password may have been intercepted or become known, change it immediately.