In five years time passwords could be a thing of the past for Australians.
The nation's top cyber spy agency is warning against using common passwords as cyber attacks costs cause business costs to soar.
Cybercrime reports have dropped but businesses face a bigger financial impact from them, the Australian Signals Directorate's annual cyber threat report released on Tuesday reveals.
Directorate director-general Abigail Bradshaw hopes that in five years' time the nation moves on from using passwords.
"I hope it (using passwords) is over. This is the thing that concerns us most," Ms Bradshaw told AAP.
"All accounts must have multi-factor authentication. Change your passwords increasingly regularly.
"Don't use it across multiple devices."
Networks are increasingly being breached through compromised or stolen details to gain unauthorised access, rather than being hacked, making it harder to detect.
"Once access is gained, they mimic legitimate user behaviour to steal sensitive personal or corporate information, install ransomware or malware and take over accounts," Ms Bradshaw said.
These types of breaches account for 42 per cent of cyber incidents impacting large organisations, government or supply chains, head of ASD's Australian Cyber Security Centre, Stephanie Crowe, said.
Passwords and usernames remain the biggest vulnerability for safety, with home routers often targeted by cybercriminals seeking to conceal their activities.
Have I Been Pwned cybersecurity expert Troy Hunt believes passwords will still be around in five years because "everyone knows how to use them".
But this is exactly why attacks against them were so easy, he said.
"They're usually simplistic and repeated allowing attacks on passwords to be automated at an enormous rate," Mr Hunt said.
He said using an online password manager, suck as 1Password, that securely stores login credentials and setting up two-factor authentication are common defences against these types of threats.
"The only secure password is one you can't remember," Mr Hunt said.
"If you don't have a password manager, then you'll just be reusing passwords across accounts."
A stronger defence is using a passkey, he said, which is a passwordless login method that uses biometrics such as a fingerprint or facial recognition.
The Australian Signals Directorate report states the agency responded to 128 ransomware incidents, consistent with 2024, with these types of cybercrimes labelled as the "most disruptive" threat.
It comes as the data of 5.7 million Qantas customers was posted online after hackers from Scattered LAPSUS$ Hunters made good on a ransom threat.
The airline was one of six global companies to have its data released at the weekend, and included customers' full names, email addresses and Frequent Flyer details.
The incident was not included in the report because it happened in the current financial year.
The report warned artificial intelligence may also create an avenue for cybercriminals to carry out threats, such as creating fake voices, websites, and customer records to present themselves to victims as legitimate.
Cyber-enabled espionage posed a "real and increasing danger" to Australia's essential services, Defence Minister Richard Marles said.
"The report makes clear that malicious actors have been working unseen to steal data and demand ransom payments from Australian victims," Mr Marles said.
