It must be complicated, consist of upper and lower case letters and contain special characters, abbreviations and numbers. And as if that’s not enough, the optimal password should be changed every 90 days.
This does not have to be the case. In the meantime, it has been proven that these guidelines produce one thing above all: weak passwords and thus false security and poor protection. Complicated passwords and regular password changes achieve the opposite effect: users use passwords several times, write them down and vary them predictably. Even subjectively “good” passwords are no longer an obstacle to increasing computing power and the constant further development of algorithms.[1]
Shared passwords are bad passwords
Half of all IT users use their “secure” passwords several times, according to one study with four to six different services.[2]
If a service loses its user data, the login and passwords are available as a basis for brute force attacks, the methodical trying out of many possible combinations. You can check your accounts for vulnerability at https://haveibeenpwned.com.
Typical adaptations of passwords – a sequence number, a special character or a letter for the respective service – are no obstacle for intelligent algorithms. Therefore, do not reuse parts of passwords either. Instead, use password managers or at least the embedded functions of the web browser. Protect this database with a main password that is as long as possible (Firefox: Privacy & Security: Main Password; Chrome: Google, Synchronisation, Encryption Options) and keep this combination safe!
Short passwords are easy to calculate
Eight digits, even with numbers and special characters, are no longer a challenge for current systems. Estimated time to calculate such a password combination: 1 hour. 9 digits? 3 days. Add ascending numbers to a known, existing password? A few seconds, at most a few minutes, to add or change probable letter combinations.
At https://howsecureismypassword.com you can try out how secure combination variants and password lengths used are. Possible access data are calculated and evaluated according to how long it would take to crack them using current algorithms. However, never enter your real password on such sites, but only try out comparable combinations as examples!
Password length beats complexity
A random combination of numbers, letters and symbols was often considered the best defence against brute force attacks. However, due to the human factor, “difficult” passwords are usually shorter than longer phrases that are easier to remember. Calculations mathematically prove that simpler but significantly longer passwords are more secure than shorter ones with more complex combinations.[3]
What could a secure and easy-to-remember password look like? String together several words, preferably independent and without personal reference. Garnish them with spelling mistakes to make dictionary attacks more difficult, and you would be pretty close to the perfect password that can be used every day.
No more expiry date
A regular need to change passwords often leads to only adding sequence numbers to the end of the combination. These are easy for attackers to guess and weaken the password considerably. Therefore, an automated change is no longer recommended. Better use tools that can rule out weak passwords in advance, detect a possible compromise of an account as quickly as possible and quickly trigger a password change if necessary.[4]
Firefox and Chrome offer these additional functions and inform users if the account data has become known in a security leak (Firefox: Privacy & Security, Access data, Alerts; Chrome: Security, Standard protection).
2-factor authentication for important services
Particularly important services and central services such as a personal main email address are often the basis for additional functions such as password resets and proof of identity for other services. Therefore, they are of special interest for attackers. These central accounts need to be protected with particular care in order to prevent a foreign takeover. Activating 2-factor authentication helps to make misuse more difficult and to improve the security of your digitally used services.
Passwords are a very important part of current IT security and enable simple and efficient authentication of users. Although often described as too insecure, this method of access will be with us for a long time to come. Existing password policies, which have often been in use for a long time, are often no longer in line with current user needs and IT security requirements. Adapt your corporate guidelines and your private behaviour now!
Worth reading:
Tricked: Phishing campaigns with hidden fonts and zero text