How to Secure Your Online Accounts in Australia 2025
Australia recorded 1,113 data breaches in 2024, the highest annual number on record. 27% of cyber incidents involved compromised credentials. Here's how to protect your accounts with MFA, password managers, and ACSC best practices.
The numbers paint a grim picture:
Australia saw 1,113 data breaches in 2024, a 25% increase from 2023. Between July and December 2024 alone, 595 breaches occurred, representing a 15% increase over the previous six-month period. These aren't just statistics. Each breach represents real people whose personal information, login credentials, and financial details fell into criminal hands.
Most common causes of cyber incidents in 2024:
According to the OAIC's latest Notifiable Data Breaches Report : phishing (30%), compromised or stolen credentials (27%), and ransomware (24%). The pattern is clear: weak passwords and lack of multi-factor authentication are the primary reasons credentials get compromised. Scammers use stolen login details to access banking, email, social media, and government accounts, leading to identity theft, financial loss, and fraud.
Enable Multi-Factor Authentication Everywhere
If you do nothing else from this guide, enable MFA. It's that important.
The Australian Cyber Security Centre (ACSC) states that multi-factor authentication is one of the most effective ways to protect your valuable information and accounts against unauthorised access. MFA is part of the Essential Eight mitigation strategies designed to protect against cyber threats.
Multi-factor authentication (MFA), also called two-factor authentication (2FA), requires two or more proofs of identity to grant you access to your account. It typically combines something you know (password, PIN), something you have (phone, security key, authenticator app), and something you are (fingerprint, facial recognition). Even if scammers steal your password through a phishing scam or data breach, they can't access your account without that second factor.
Australian cyber security authorities rank MFA methods from most secure to least secure:
Security Keys (Most Secure)
A small physical token without a display screen, often plugged into your device via USB. Examples include YubiKey and Google Titan Security Key. These are the gold standard because they cannot be phished or intercepted remotely. Someone would need physical possession of your security key to access your account. If you're protecting high-value accounts like financial services or business email, security keys provide the strongest protection available.
Authenticator Apps (Highly Recommended)
Mobile applications that generate random one-time passwords (OTP). More secure than receiving codes by SMS or email because the codes are generated locally on your device and change every 30 seconds. No network transmission means no interception.
Popular options include Google Authenticator, Microsoft Authenticator, Authy, and LastPass Authenticator. These apps work even without internet connection. For most people, authenticator apps offer the best balance of security and convenience.
Biometrics (Convenient)
Using your fingerprint, face, or iris to access your device or mobile apps provides convenience because biometrics are always with you and cannot be misplaced or forgotten. Ensure your biometric data is stored locally on your device rather than on remote servers where it could be compromised in a breach.
SMS Codes (Least Secure)
Receiving a one-time code via text message is the least secure MFA method. The ACSC notes that SMS codes are more susceptible to compromise than other methods. SMS messages can be intercepted through various technical attacks. SIM cards can be swapped by scammers who convince your mobile carrier to transfer your number to a SIM they control. SMS-based MFA is still better than no MFA at all, but upgrade to authenticator apps or security keys for your most important accounts.
Where to Enable MFA First
Not all accounts carry equal risk. Prioritise your MFA setup starting with accounts that, if compromised, would cause the most damage:
1. Banking and financial accounts: CommBank, NAB, Westpac, ANZ, PayPal, and any other service connected to your money.
2. Email accounts: Gmail, Outlook, iCloud — because email controls password resets for practically every other account you own. If scammers access your email, they can reset passwords across your entire digital life.
3. Government portals: myGov, ATO, Services Australia, Medicare online — these contain sensitive personal information and connect to benefits, tax records, and healthcare data.
4. Social media & cloud storage: Facebook, Instagram, LinkedIn, X, Google Drive, Dropbox, OneDrive, iCloud.
5. Work accounts: Email, VPN, company portals — especially if you work remotely or access sensitive business information.
6. Password manager: Your password manager contains the keys to everything else, so it needs the strongest protection available.
Visit cyber.gov.au for step-by-step MFA setup guides for various platforms.
Use Strong, Unique Passphrases
The ACSC recommends replacing traditional passwords with passphrases. Passwords encourage short, complex strings that are hard to remember and often reused. Passphrases are longer, easier to remember, and significantly harder for hackers to crack.
ACSC passphrase guidelines:
At least 15 characters using four or more random words that you'll remember. Make each passphrase unique across accounts, never reusing them. Avoid personal information like names, birthdays, or addresses that someone could discover through social media or public records.
Good passphrase examples:
"crystal-onion-clay-pretzel" or "blue-mountain-coffee-kangaroo" or "sunset-beach-umbrella-lemonade" — These are easy to remember but would take hackers billions of years to crack through brute-force attacks. The length and randomness create mathematical complexity that defeats even the most powerful password-cracking tools.
Weak password vs. strong passphrase:
Weak: "P@ssw0rd123!" — Uses common substitutions (@ for a, 0 for o) that password-cracking software expects. At 13 characters, it follows predictable patterns and can be cracked in seconds by automated tools.
Strong: "purple-elephant-dancing-moon" — At 29 characters with random unrelated words, it's both easy to remember and virtually impossible to crack. The counterintuitive truth: longer beats more complex.
Use a Password Manager
The ACSC's Annual Cyber Threat Report 2024-2025 recommends that Australians "make passwords strong and unique, and consider using a reputable password manager." With dozens of accounts to manage, password managers are essential for maintaining unique passphrases across all services.
A password manager is a secure digital vault that stores all your passwords and passphrases encrypted behind one master password. It can generate strong random passwords, autofill login forms, and alert you to weak or reused passwords. Instead of remembering 50 different passphrases, you remember one master passphrase that unlocks everything else.
When selecting a password manager, choose a reputable provider. Check cyber.gov.au for guidance on selecting password managers that meet Australian security standards. Create a strong master password using a long passphrase (20+ characters minimum) that you'll never forget. This is the one password you must commit to memory, so make it memorable but not guessable.
Enable MFA on your password manager itself to add extra security to your vault. Use the password manager's audit feature to identify and update weak or reused credentials across your accounts. Set an inactivity logout timer so the vault automatically locks after 5 to 10 minutes of inactivity. This protects you if you walk away from your computer without manually locking your session. Update your master password regularly, changing it every 6 to 12 months.
Important consideration: some Australian banks may not cover losses if you store your banking password in a password manager. Their terms and conditions may specify that you cannot share or store banking credentials in ways they consider insecure. For critical financial accounts, consider keeping those passwords separate and protected with strong MFA. Always check your bank's terms and conditions regarding password storage before deciding where to store banking credentials.
Monitor for Data Breaches
With 1,113 data breaches in Australia during 2024, there's a high chance your email or password has been exposed in a breach at some point. Companies don't always notify customers immediately when breaches occur. Some breaches remain undiscovered for months or years. Regularly checking if your credentials have been compromised helps you stay ahead of potential problems.
Visit haveibeenpwned.com to see if your email has appeared in known breaches. This free service, created by security researcher Troy Hunt, indexes publicly disclosed breaches and allows you to search your email address. Enable breach monitoring in your password manager if it offers this feature. Many password managers now integrate breach detection that automatically alerts you when your credentials appear in new data dumps.
If your credentials appear in a breach, immediately change that password on all accounts where it was used. This is why password reuse is so dangerous. One breach can cascade across every service where you used the same login. Enable MFA on any compromised accounts if not already active. MFA protects you even if someone has your password from a breach.
Additional Security Measures
Beyond MFA, passphrases, and password managers, several additional practices strengthen your account security. These aren't optional extras. They're essential habits that prevent common attack vectors.
Log out of accounts when finished, especially on shared or public devices. Staying logged in creates risk if someone else uses that device or if the device is lost or stolen. Regularly audit third-party apps with access to your accounts. Go through your Google, Facebook, and other major account settings to review which apps you've granted access over the years. Revoke access for services you no longer use.
Use secure connections and avoid logging into sensitive accounts on public WiFi. Public networks can be monitored by attackers who intercept your login credentials. If you must use public WiFi for important accounts, use a VPN to encrypt your connection. Keep software updated by installing security patches for your operating system, browser, and apps. Most breaches exploit known vulnerabilities that have available patches. Staying current eliminates these attack vectors.
Be cautious with security questions. Instead of answering honestly, use false answers or passphrases. Scammers can discover your mother's maiden name, first pet, or high school through social media and public records. Treating security questions as secondary passwords rather than factual questions increases security. Check account activity regularly by reviewing login history for unauthorised access attempts. Most major services show recent login locations and devices. Unfamiliar logins indicate compromise.
Account security isn't a one-time setup. It's an ongoing practice that adapts as threats evolve. The steps outlined here represent current best practices from Australian cyber security authorities, but those recommendations will change as technology and attack methods develop. Stay informed through official sources like cyber.gov.au , review your security settings quarterly, and remain skeptical of any unexpected login requests or password reset emails.