Some 46 per cent use weak passwords to protect their online accounts, a survey conducted for Telstra found.
And almost one in 10 base their passwords on their favourite sports club and twice as many use their pet’s name.
Australians have already lost $194 million to scams and hacking in 2023, according to ScamWatch.
Telstra cybersecurity expert Darren Pauli says uniqueness is key to having a secure password.
“The more common your password is, the more you’re exposed to password guessing attempts,” he told AAP.
“If everyone picks Collingwood as their password, then eventually that’s going to become common enough that that password will work its way to the top hit list.
“They might not get you and they might not get the next 500 people but they will get the 501st and there’s enough of that to make for a pretty lucrative industry.”
Online hackers use automated password guessing lists to crack into personal accounts.
These lists run through billions of combinations taken from the black market.
At least 75 per cent of Australians reuse their password, which often results in people ending up on a password guessing list.
At least 63 per cent of Australians never change their banking passwords, or change it once a year, the survey found.
Almost two in five admitted to sharing their passwords with family members.
“Reusing your password is the most dangerous thing you can do on the internet,” Mr Pauli said.
“If a website gets breached, the passwords and usernames are stolen and they make their way into the cybercrime underground and these things are traded around.”
Stolen passwords and usernames are automatically tested on other websites, and this is how cybercriminals gain access to bank accounts.
“We see people losing eye-watering amounts of money – honestly breaks your heart,” Mr Pauli said.
“Someone can lose $40,000 because their bank account got hacked into.”
Keeping passwords in your wallet – which 1.2 million Australians do – is just as bad as reusing the same one.
“About a month ago, I found a password book at a playground,” Mr Pauli said.
“It had everything in it and what I could have done with this could have been bad.”
People could consider protecting their online accounts by using a password manager.
Most mobile phones and web browsers have a built-in password manager that can generate and remember a unique password.
Using multi-factor authentication is another way to protect online accounts and it has extra checks to prove your identity before an account can be accessed.
“There’s no magic rule to stop scams but multi-factor authentication could stop people from losing their life savings,” Mr Pauli said.
“It’s criminally underused. I’d love to see everyone using it.”
The survey was conducted by YouGov on behalf of Telstra between February 6-7 2023.