Nine tips for secure passwords

28 May 2020

Passwords – everyone needs them, but nobody likes them, and hardly anyone can remember them, which is why too many people still opt for 12345. But we all know that insecure passwords are an invitation to cybercriminals. Security expert Tobias Kippert from TÜViT explains what you should consider when choosing a password, the deadly security sins you should absolutely avoid, and where you should store your passwords.

A good and secure password must be sufficiently complex. In other words, it should consist of at least eight different characters, including lower-case and capital letters, numbers and special characters - ideally completely jumbled up without any system. To help jog your memory and to allow you to learn the password more easily, you can select a particular sentence from which you just take the initial letters and use them in your password. You can vary these letters by switching between capitals and lower-case letters and intersperse them with numbers and special characters.

It goes without saying that third parties shouldn’t simply be able to find out your password. Combinations of your own name and date of birth should therefore be avoided just as scrupulously as non-passwords like 12345, dictionary terms or the name of your pet. You should always use a separate password for every online service.

After all, if you use the same password for every application, a hack into just one of them can open the door to attackers, allowing them to infiltrate your email account or online shopping account. You shouldn’t write down your passwords on a digital document on your computer or on a piece of paper. The notorious Post-It note with password under your keyboard is of course an absolute no-no.

It’s true: good passwords are complicated and therefore difficult to remember. If you want to use a unique secure password for each service, there’s no real alternative to the password manager. In these programs, passwords and usernames are encrypted and kept as securely as if they were in a safe. Many of these tools use the AES-256 standard, which the US government also deploys to encrypt secret documents. A computer would have to run calculations for about 13.8 billion years to crack this kind of encryption. These programs usually automatically insert the password and username into the login field of the Internet provider in your browser.

The key to this password vault is a complex master password. Instead of 20 or 30 or more different passwords, you only have to remember a single one. Just don’t forget it, whatever you do! If you do, the password safe will be locked for all time – and you’ll have to reset and re-create all the stored passwords for your Internet services.

You can find good cheap or even free password managers via online comparison tests. Many of the programs also offer synchronisation via the cloud. This way, you can easily log in with the passwords on your smartphone or tablet without further ado.

But convenience has its shadow side: in unencrypted procedures, passwords could in principle be intercepted by hackers during transmission or at the storage location. You also have to have sufficient confidence in the provider in question. It’s therefore more secure to disable synchronisation in the password manager or to make direct use of a program that only stores the passwords locally on your computer.

Another advantage of password managers is this: you can use them to generate strong passwords. To do this, you first have to specify the desired length and the use of numbers and special characters. Then all you have to do is touch a button and - hey presto! - there’s your password. Because the generator randomly jumbles up the characters, they can’t be “guessed” by an attacker and are thus more secure than human-made passwords.

Places where you can generate this kind of random password include, for instance, the website of the Central Data Protection Office of the universities of Baden-Württemberg (ZENDAS).

Many browsers offer to save your credentials when you log on to a website. This is obviously practical because it significantly shortens the log-in procedure. You should, however, always find out in advance whether the password store of the provider in question is considered secure and the passwords are only stored locally.

There’s one fundamental problem with browser password managers: Unlike stand-alone password safes, you can opt not to use a master password. If the computer is used by other people, they can access the passwords too. And if your laptop is stolen, the thief will easily be able to log in to your online services. So it’s advisable only to use the browser-based storage option if you have a computer that is used only by you and is protected by a good password. You’re better off using a standalone password manager, simply because it’s more secure.

Android or Apple smartphones come from out of the factory with an integrated password manager. Google's Smart Lock and Apple's iCloud Keychain synchronise passwords with your user account. This lets you easily log in on other devices or move your passwords to a new phone. The problem is this: as the user, you can’t directly know whether the passwords are stored on servers in the US. And, for the reasons I’ve outlined above, cloud solutions tend to be more insecure than local storage in a stand-alone password vault on your own computer or smartphone.

The golden rule always used to be to change even a secure password regularly. Germany’s Federal Office for Information Security (BSI) has now withdrawn this recommendation from the current issue of its BSI Basic Protection Compendium. This is because, as research has shown, many users tend to be lazy to make passwords easier to recall. For example, some will use a password that’s too short or only make minor changes to the old one - for instance, by changing a number at the end.

But if the old password has already been hacked or wasn’t secure in the first place, the new password will also be cracked in the blink of an eye. So, the new rule of thumb is that it’s better to use a good and complex password in the long run than to switch to a new insecure password every three months. In the event of a data leak or a hacker attack on your own online provider, you will of course still have to change your password.

To make things even more secure, it makes sense to set up two-factor authentication, as is being offered by more and more online services. In addition to your username and password, you also have to enter a code when you log in, which is sent by the provider in question by text or generated via a special authenticator app. Even a cybercriminal who knows your password won’t just be able to stroll into your online account. Using a second factor takes a little more time when you log in – but it’s an important step towards a more secure online account.