Passwords simple & secure
Why you only need a password and leave the rest of the software.
Listen to experts, not (only) the BSI
The Federal Office for Information Security (BSI) has been following the recommendations of real security experts for years. In the meantime, the BSI has deleted some downright harmful recommendations. So are the following now maculature:
- It is no longer recommended to change passwords regularly as this tends to lead to insecure passwords
- Rigid password length and valid character requirements have been removed.
Similarly, many platforms require that security queries, such as the name of the first pet, tighten a safety net in case you forget your password. The problem: This means that a potential attacker only needs a correct answer to the security questions that are usually quite easy to find out.
However, the current status of the BSI recommendation is now very good, the following recommendations have also proven themselves in practice:
You need to remember a password well.
In our view, this is not correct. You only need to be able to remember exactly one, maybe two passwords: a private one and if you want and possible a second, professional master password. How this should work, more on that later.
The longer the password, the better.
This recommendation is so simple, so suggestive: With each additional character, the time to successfully crack a password via brute force attack increases exponentially. A 7-character password can be cracked in a few minutes, 8 characters in one day and 9 characters in 12 years. A 30-40 character password would not be crackable within a lifetime even with supercomputers.
The password should be at least eight characters long.
We recommend at least 12 characters. Some platforms limit the maximum possible number of characters, but the platform would not have any password length restrictions. Technically, there is not enough justification for limiting the length of passwords.
As a rule, all available characters can be used for a password, i.e. upperandless letters, numbers and special characters.
We see it the same way. Unfortunately, there are still many restrictions on many platforms, so only a selection of special characters is allowed.
The full password should not appear in the dictionary. Common sequences of numbers or keyboard patterns are also out of the question as a secure password.
Sure, one of the most common passwords is password – you might as well distribute your own apartment key a thousand times by mail in the neighborhood. It is ideal if a password is not used anywhere a second time. More on that.
Adding simple digits or special characters before or after a normal word is not recommended.
This means that 123password or $password! have not become more secure just because they contain a few extra characters. Many password crackers first work on combinations of dictionaries and extra characters in order to crack exactly such variants as early as possible.
A password for everything
Basically, all the thinking and responsibility lies with the above-speaking people. Measures on your, the user. After that, the BSI writes by far the most important paragraph about securing your passwords:
Where two-factor authentication (2FA) is offered, you can also secure access to your online account. A password manager can make it easier to handle different passwords. Most importantly, never share your passwords with third parties.
Your entire password strategy should focus on complying with these three recommendations.
Two-factor authentication (2FA)
This is no longer enough just for the password: Once a channel, such as your smartphone or your e-mail account, is used to secure a login attempt. Even if a hacker knows your login and password for a platform, they would also need to have access to your 2FA channel, i.e. your email or smartphone.
Where possible: Use the 2FA function with each provider. Online banking has done it with the TAN inputs, meanwhile every smart phone can effectively fend off login attempts by hackers via app-tan. There are free pluginsfor WordPress .
Don’t even try to remember hundreds of passwords. Worse still, even your Ultra-Turbo-Safe 40-character password is only as secure as the first platform that unfortunately saved it unencrypted. Because once your password has been cracked, e.B. through a successful phishing attempt, hackers try to use this password with your login data on numerous other services.
On the other hand, remember only one password: that of your password manager. You only set a master password and generate, store and use all other passwords via the password manager. We like to use Bitwarden as a password manager, but there are many more.
Your advantage: Each website can get its own super heavy password.
Do not share your password
You click on an email or message and just need to enter your Facebook password to watch the funny cat video?
Always remember: entering your password is like a digital signature. You hereby conclude contracts. Check the address bar of your browser and, in case of doubt, do not trust anyone when a password is required of you.
About the author
Matthias Bathke is Managing Director of straightvisions GmbH. As a GDPR expert and PageSpeed evangelist, he is keen to develop stable and efficient solutions for our customers.
We will be happy to advise you to find the best solution for you – just contact us.