Your password is probably terrible. Here's how to fix it.

Let's be honest. If your password is your dog's name and your birth year, you're not alone, but you are very, very vulnerable.

Cybercrime in Australia is on the rise. According to the Australian Cyber Security Centre's 2024-25 Threat Report, weak or stolen passwords remain among the most common ways hackers gain access. And the average cost of a cyber incident for a small business? Over $56,000. That's not a number most of us can absorb.

The good news: this is one of the easiest things to fix. Here's what you need to know.

How fast can a hacker crack your password?

Faster than you think. Modern hacking tools use a brute-force attack, basically trying every possible combination of letters, numbers, and symbols until they find the right one. Advances in computing have made this terrifyingly quick.

Here's the reality check, based on the Hive Systems 2025 Password Table:

• 8 characters, mixed case + symbols: cracked in 8 hours

• 10 characters: cracked in 3 weeks

• 12 characters: 300 years

• 16 characters: 25 trillion years

The takeaway? Length is everything. If your password is under 12 characters, it's not doing the job.

Ditch passwords. Use passphrases.

A passphrase is exactly what it sounds like, a string of words rather than a single word with a number bolted on the end. Something like BluePiano$TigerMountain is both longer and easier to remember than P@ssw0rd1!, and it's exponentially harder to crack.

The benefits are real:

Stronger by default. At 16+ characters, brute force attacks become practically impossible.

Easier to remember. A string of words you can picture beats a random jumble of characters every time.

Less likely to be reused. Password reuse across multiple accounts is one of the biggest security risks for small businesses. A memorable passphrase you actually like using means you're more likely to make it unique to each account.

Add Multi-Factor Authentication (MFA). Full stop.

Even the strongest passphrase isn't enough on its own. Passwords get stolen in data breaches. They get phished. They get guessed. That's why adding a second layer of verification is non-negotiable.

MFA means that even if someone has your password, they still can't get in without:

• Something you know (your passphrase)

• Something you have (a code from an authenticator app, or a security key)

Set it up on your email, your Xero, your banking, anything that holds sensitive business or client data. It takes five minutes and dramatically reduces your risk.

Consider a password manager

If managing unique, complex passphrases across every account sounds overwhelming, a password manager does the heavy lifting. It generates strong passwords, stores them securely, and auto-fills them on legitimate sites (which also helps protect against phishing, because it won't fill in your credentials on a fake login page).

No more sticky notes. No more spreadsheets of logins. No more reusing the same password because you can't keep track.

The bigger picture: your numbers are only safe if your systems are

At Diverse, we're in your accounts. We see your data. We connect to your Xero. And we take that responsibility seriously, which is why we talk about this stuff openly.

Protecting your business doesn't stop at getting your BAS in on time. It starts with making sure the right people can access your systems, and the wrong ones can't.

If you're not sure where your business sits when it comes to cyber security basics, start with these three things today:

1. Change any short or reused passwords to passphrases

2. Turn on MFA for your email and accounting software

3. Look into a password manager for your team

Small steps. Big protection.