Passwords protect our accounts on a wide variety of portals. But what makes a good password actually? The length? As many special characters as possible? A password change every few weeks? TECHBOOK spoke with the professor for data protection and compliance at the University of the Federal Armed Forces in Munich, Arno Wacker, as well as Tim Griese from the Federal Office for Information Security (BSI). First of all, many common passwords are obsolete and useless to the user.
So makes sense a regular password change
It sounds quite logical: If you want to have a secure password, you have to change your passwords at regular intervals. So far the common theory. However, this no longer applies in the form. The rule has its origin in the old guidelines of the NIST (National Institute of Standards and TechnologyHowever, the handling of passwords was changed by the US federal agency in 2017 and the requirement of a regular password change finally dropped. “The reason for this is that in the meantime, there are some scientific studies that say that regular changes in safety are more harmful than good for them. An easy-to-understand reason is the user’s psychology: if users do not have to change their passwords every few months, they are much less inclined to choose bad / simple passwords, that is, they are more likely to generate a good and strong password, “says IT security expert Arno Wacker towards TECHBOOK.
Wireless keyboard and mouse
✔ PrimeDay countdown deal
✔ € 29.99 instead of € 54.99
✔ Compatible with Windows and Chrome OS
Nevertheless, rumors hold that users should always change their passwords. One reason Wacker sees in the fact that the BSI in Germany, this recommendation, contrary to other guidelines, continues to exist. “The password must be changed regularly, eg. B.all 90 days, “reads the IT-Grundschutz Catalog of the BSI. On request from TECHBOOK, however, the BSI denied an unqualified recommendation to keep changing the password. “According to BSI experience, successful cyber attacks are only discovered on average after more than 200 days. A regular change of passwords can therefore make sense in order to make stolen passwords unusable for cyber criminals, even if the password theft has gone unnoticed until then, “explains Tim Griese of the BSI. In any case, users should change their password if there are indications that the password is compromised. Information about this can include the number of failed logins and the date of the last login.When changing the password, the user should be sure to choose a strong password again.
Is a password of several words advisable?
A password consisting of different words can make sense. “A passphrase can also offer a high protection value, but it should not be too short,” advises Griese of the BSI. The length determines the quality of a password. However, passwords from two words are not recommended, especially because a password from 20 letters is considered safe and two words alone probably can not reach this length. “But the approach is correct: If you use a whole sentence, ie a so-called passphrase, whose total length is well over 20 characters, then that can be considered safe today,” argues Arno Wacker.
When using two words with a total of 10 letters, the password strength is about 47 bits. In other words, a computer would need 140,737,488,355,328 attempts to find the password through a brute-force attack that traverses every possible combination of letters. This is a challenge for a single computer, but not for large computer networks. For three words with 16 letters, it is already much better with about 71 bits, but not yet in the safe area. With four words and a total of 20 letters, users reach a strength of 95 bits, which today is considered safe, while with six words, one would already arrive well beyond the recommended cryptographic strength of the NIST. To put it simply: a 20-letter passphrase requires a whole computer or computer network39,614,081,257,132,168,796,771,975,168 Attempts to find the password – even if it’s just lowercase!
Is a strong password sufficient for all services?
No matter how strong a password is, users should always choose different passwords – and never just use one for all accounts. In data leaks, password databases are stolen from service providers. After that, the password of the user no longer needs to be cracked. “If this password, no matter how strong, used for other accounts, an attacker these accounts are open. That’s why it’s important to use different passwords for different accounts, “says Tim Griese of the BSI on TECHBOOK. Also, the user never knew how well the service used to handle the password. “In the worst case, the service stores the password in plain text (eg quite up to date, as happened on Facebook),” says Wacker. The password strength would not matter in such an attack.
This is caused by special characters
And users often hear this advice when it comes to passwords: special characters make a password more secure. But is that true? Often users do not even have the choice, they are prompted to use a password with special characters. “Special characters expand the range of characters used, making it harder for attackers to crack the password. A very long password without a passphrase, however, makes it even more difficult for an attacker, or even more, depending on the length of the passphrase, than for a simple password. Therefore, it depends more on the length of the selected password than on the use of special characters, “says Tim Griese of the BSI.
So you’ll never forget your passwords again soon
It depends on the length
A password can not be long enough. “Here you can say a flat rate, the longer the better – the length plays the biggest role in the security of the password,” explains expert Arno Wacker. Depending on the service, there are certain rules for length. An online password should be more than ten characters long, and a Wi-Fi password should be more than 20 characters long. From a mathematical point of view, according to Wacker, a password with a length of twelve characters or more is considered good, providing adequate security. Based on the guidelines of NIST, however, passwords of 20 characters or more are really safe.
The perfect password
But what else is decisive apart from the length? “A ‘good’ password is understood to mean a password that does not follow a pattern, ie is completely random, and for each character a character is selected from a character set of 100 characters,” says Wacker. Remembering a good and, above all, long password for a wide range of services sounds like a real challenge. But do not worry, an elephant memory is not necessary, a password manager promises help. “This is a software that securely encrypts the user’s passwords into a file. Access to it is ensured by a strong master password and potentially a second factor, “says Wacker. Since all passwords are stored in this software, special attention must be paid to security at this point. Therefore, the software must be open-source, a good example of this is KeePassXC, advises Wacker.
If users have forgotten the password, they can use the security question to gain access to their corresponding account. But: “The security question is a very bad idea and was therefore also deleted from the current guidelines of the NIST or even explicitly required that it no longer exists. It’s perfectly right – attackers (hackers) can also answer the security question by relying on information that is somehow available or can be guessed, bypassing the strongest password, “says Arno Wacker. If a security question needs to be asked, users should choose the same criteria as a password.