The Federal Office for Information Security (BSI) has been following the recommendations of real security experts for years. In the meantime, the BSI has removed some downright harmful recommendations. So are the following now maculature:
- It is no longer recommended to change passwords regularly as this tends to lead to insecure passwords
- Rigid password length and valid character requirements have been removed.
Similarly, many platforms require that security queries, such as the name of the first pet, tighten a safety net in case you forget your password. The problem: This means that a potential attacker only needs a correct answer to the security questions that are usually quite easy to find out.
Recommendations that work
The BSI has made improvements
However, the current status of the BSI recommendation is now very good, the following recommendations have also proven themselves in practice:
You need to remember a password well.
The emphasis here should be on a password. You only need to be able to remember exactly one, maybe two passwords: a private one and if you want and possible a second, professional master password. How this should work, more on that later.
As a rule, all available characters can be used for a password, i.e. upperandless letters, numbers and special characters.
We see it the same way. Unfortunately, there are still many restrictions on many platforms, so only a selection of special characters is allowed.
The full password should not appear in the dictionary. Common sequences of numbers or keyboard patterns are also out of the question as a secure password.
Sure, one of the most common passwords is password – you might as well distribute your own apartment key a thousand times over in the neighborhood via direct mail. It is ideal if a password is not used anywhere a second time. More on that.
The longer the password, the better.
This recommendation is so simple, so suggestive: With each additional character, the time to successfully crack a password via brute force attack increases exponentially. A 7-character password can be cracked in a few minutes, 8 characters in one day and 9 characters in 12 years. A 30-40 character password would not be crackable within a lifetime even with supercomputers.
The password should be at least eight characters long.
We recommend at least 12 characters. Some platforms limit the maximum possible number of characters, but the platform would not have any password length restrictions. Technically, there is not enough justification for limiting the length of passwords.
Adding simple digits or special characters before or after a normal word is not recommended.
This means that 123password or $password! have not become more secure just because they contain a few extra characters. Many password crackers first work on combinations of dictionaries and extra characters in order to crack exactly such variants as early as possible.
simple but safe
Your password strategy
Basically, all the thinking and responsibility lies with the above-speaking people. Measures on your, the user. After that, the BSI writes by far the most important paragraph about securing your passwords:
Where two-factor authentication (2FA) is offered, you can also secure access to your online account. A password manager can make it easier to handle different passwords. Most importantly, never share your passwords with third parties.
2FA
Two-factor authentication
This is no longer enough just for the password: Once a channel, such as your smartphone or your e-mail account, is used to secure a login attempt. Even if a hacker knows your login and password for a platform, they would also need to have access to your 2FA channel, i.e. your email or smartphone.
Where possible: Use the 2FA function with each provider.
Online banking has done it with the TAN inputs, meanwhile every smart phone can effectively fend off login attempts by hackers via app-tan. There are free pluginsfor WordPress .
Software that really helps
Password Manager
This is no longer enough just for the password: Once a channel, such as your smartphone or your e-mail account, is used to secure a login attempt. Even if a hacker knows your login and password for a platform, they would also need to have access to your 2FA channel, i.e. your email or smartphone.
Where possible: Use the 2FA function with each provider.
Online banking has done it with the TAN inputs, meanwhile every smart phone can effectively fend off login attempts by hackers via app-tan. There are free pluginsfor WordPress .
Don’t be the gateway yourself
Do not share your password
You click on an email or message and just need to enter your Facebook password to watch the funny cat video?
Always remember: entering your password is like a digital signature. You hereby conclude contracts. Check the address bar of your browser and, in case of doubt, do not trust anyone when a password is required of you.