Cybersecurity Without Insanity in 3 articles, 2 numbers and 1 action.

This week: What have Howard Hughes and Liverpool FC got to do with cybersecurity? Plus: Health data of 5 million Australians has been leaked on the dark web. And I use my limited graphic design skills to explain why passwords are bad and MFA is good.

This week’s action is inspired by James Clear of Atomic Habits – Is your issue a lack of information or a lack of action?

If you’d prefer to listen to Cyber 3-2-1: This week’s episode is accessible from or wherever you get your podcasts.


1. (via SecureTheVillage) reports thathackers who stole a trove of data from one of Australia’s biggest private health insurers are drip-feeding sensitive details of customers’ medical diagnoses and procedures. [..] Thus far, the leaks have included information relating to patients’ home addresses, phone numbers, and passport numbers, as well as details about health conditions such as alcohol abuse, anxiety, cannabis dependence and opioid addictions. [..] Medibank has confirmed that, as of Friday, the personal information of more than five million customers has been released.” Medibank has been advised not to pay the ransom demand of $9.7m Australian dollars, because the horse has already bolted, and the horse was loaded up with the sensitive personal data of at least 5 million individuals.

2. Gizmodo reports on recent analysis by NordPass and CyberNews on the most common passwords of 2022. The analysis was performed on the troves of password data leaked on the dark web this year. Is it a shock to hear that the most common password across the world is ‘password’? Liverpool Football Club clearly has many fans in the UK who don’t care about their online security, as ‘liverpool‘ is the fourth most common password in the UK. Any Premier League fans will know that’s as close as Liverpool FC will get to 4th place in most leagues this season.

3. This final article is actually an episode of Tim Harford’s Cautionary Tales, which reminds me of the ICO’s point (which I mentioned last week) that the biggest cyber risk being our own complacency. In this episode, Tim details the amazing story of Clifford Irving, who in 1972 fooled a major book publisher into believing that he was Howard Hughes’ chosen ghost writer for his authorised autobiography. (For those who don’t know, Howard Hughes was a billionaire and a recluse). When the story broke that he was working with Irving on his autobiography, one publisher paid $1 million for the exclusive rights. So, what has this got to do with cybersecurity? Well, at one point, even when the game is up, the fraudster still believed he could get away with the $1 million advance because he thought the victim, the publishing company, would be too embarrassed to report the fraud to the authorities. Are cybercrime victims inadvertently encouraging cyber criminals if they don’t report the frauds to the authorities?


FIFTY FIVE – Approximately 55% of leaked passwords analysed by NordPass were less than 9 characters long. It is easy for cyber criminals to run automated scripts to check every combination of letter and number, but the longer a password, the longer it takes for them to crack it. I recommend you use a password manager to generate a long password that even you don’t need to remember.

THREE – It me took only 3 hours this week to create two classy and timeless graphics that try to show why passwords are bad and multi-factor authentication is good. I shared them with my lucky LinkedIn followers earlier this week, and the feedback was that I should stick to the day job! But there’s a serious message behind these amateur graphics: Your online activity is like a dangerous voyage in shark-infested and pirate-ridden waters. Relying on only a password to secure an account is like taking that journey in a rubber dinghy. You may survive, but is it worth the risk? Especially when using Multi-Factor Authentication (MFA) is like upgrading from that rubber dinghy to a cruise ship. With a cruise ship, the sharks are no longer a threat and most pirates won’t bother with you – There are too many easier targets in their rubber dinghies. Fair enough, it takes a bit more effort to get onboard a cruise ship than to step onto a rubber dinghy, but your journey will be so much safer. The same applies with MFA – A little bit of inconvenience brings a hell of a lot of benefits.


This week’s action comes from James Clear, my original inspiration for the structure of the Cyber 3-2-1 newsletter.

This week, my recommended action is to think about James’ question: “Do I need to spend more time searching for better information or do I need to spend more time acting on the information I already have? Is the bottleneck strategy or execution?”

If you’re struggling with cybersecurity, it’s worth asking yourself whether it’s due to a lack of information or a lack of action?

If you need help with either, I’m here!

Have a great weekend.