Every day we use passwords for a wide variety of services. Some online services even require technical specifications when creating a password, according to which characters must appear. Length, special characters or regular change – TECHBOOK asked experts what really matters.
Passwords protect our accounts on the most diverse portals. But what actually makes a good password? The length? As many special characters as possible? A password change every few weeks? TECHBOOK worked with Arno Wacker, Professor of Data Protection and Compliance at the University of the Federal Armed Forces in Munich, and with Tim Griese from the Federal Office for Information Security (BSI) spoken. First of all: Many of the common wisdom for a secure password are outdated and pointless for the user.
Changing your password regularly is so secure
It actually sounds quite logical: If you want to have a secure password, you have to change your passwords at regular intervals. So far the common theory. However, according to IT security expert Arno Wacker, this no longer applies in this form. The rule has its origins in the old guidelines of the National Institute for Standards and Technology (NIST), however, the handling of passwords was changed by the US federal agency in 2017 and the requirement for regular password changes was finally dropped. “The reason for this is that in the meantime some scientific studies are out there that say that changing it regularly does more harm than good to security. One easy-to-understand reason is user psychology: if users don’t have to change their password every few months, they’re significantly less likely to choose bad or simple passwords, i.e. they’re more likely to stick with generating a good and strong password.” says Wacker to TECHBOOK.
Nevertheless, the rumor persists that users should always change their passwords. When asked by TECHBOOK, however, the BSI denied an unreserved recommendation to constantly change the password. “According to the experience of the BSI, successful cyber attacks are only discovered after more than 200 days on average. Changing passwords regularly can therefore make sense in order to make stolen passwords unusable for cyber criminals, even if the password theft has gone unnoticed until then,” explains Tim Griese from the BSI. In any case, users should change their password if there are indications that the password may have been compromised. The number of failed logins and the date of the last login can provide information about this. When changing a password, the user should make sure that he chooses a strong password again.
Is a secure password made up of multiple words?
A password consisting of different words can make sense. “A passphrase can also offer a high level of protection, but it must not be too short,” advises Griese from the BSI. The length determines the quality of a password. However, two-word passwords are not recommended, mainly because a password of 20 letters or more is considered secure and two words alone probably cannot reach this length. “But the approach is correct: If you use a whole sentence, ie a so-called passphrase, with a total length of well over 20 characters, it can now be considered secure,” explains Arno Wacker.
When using two words with a total of 10 letters, the password strength corresponds to about 47 bits. In other words: A computer needs about 140,737,488,355,328 attempts to crack the password using a brute force attack. The attacker tries to go through every possible combination of letters, but this takes time. Although this is already a challenge for a single computer, it is not for large computer networks. With three words with 16 letters, it is already significantly better with around 71 bits, but still not in the safe area. With four words with a total of 20 letters, users achieve a strength of 95 bits. This is considered relatively safe. A password of six words already has a cryptographic strength. Just to put it bluntly, with a 20-letter passphrase, a computer or computer network needs whole ones 39.614.081.257.132.168.796.771.975.168 Try to find the password – even if it’s all lower case! An unimaginably high number of attempts.
Is a strong password sufficient for all services?
No matter how strong a password is, users should always choose different passwords – and never use just one for all accounts. In data leaks, password databases are stolen from service providers. The user’s password then no longer needs to be cracked. “If this password, no matter how strong, is used for other accounts, these accounts are also open to an attacker. That’s why it’s important to use different passwords for different accounts,” says Tim Griese from the BSI to TECHBOOK. The user also never knows how well the service used handles the password. “In the worst case, the service saves the password in plain text (as happened with Facebook),” says Wacker. The password strength would not matter at all in such an attack.
This is what special characters do
And users hear this advice again and again when it comes to passwords: Special characters make a password more secure. But is that true? Often users don’t even have a choice. Online services increasingly require a password with special characters or several types of characters. “Special characters expand the range of characters used, making it more difficult for attackers to crack the password. However, a very long password without special characters (passphrase) also makes access more difficult for an attacker. Depending on the length of the passphrase, even significantly more than with a simple password. Therefore, the length of the selected password is more important than the use of special characters,” says Tim Griese from the BSI.
Also Read: These Passwords Scammers Can Crack In One Second!
So many characters and character types requires a secure password
A password can never be long enough. “Here you can say in general: the longer, the better – the length plays the biggest role in the security of the password,” explains expert Arno Wacker. Depending on the service, there are specific rules for the length. An online password should have more than ten characters, a WiFi password should have more than 20 characters. From a mathematical point of view, according to Wacker, a password with a length of twelve characters or more is considered good and offers adequate security. Based on the NIST guidelines, however, passwords of 20 characters or more are only really secure.
Choosing a secure password always depends on two characteristics – length and complexity of the password. If you use several types of characters such as lower case letters, special characters and upper case letters, the complexity of the password increases. But that’s harder to remember. Therefore, the following overview will help you to choose the right password.
- If you only want to rely on a password made up of upper and lower case letters, you should choose a password length between 20 and 25 characters. This would cover two types of characters. To remember all words, you can use a sequence of words or a passphrase.
- If you use four character types, you can shorten the password to 8-12 characters. However, it is very complex and difficult to remember when it consists of upper and lower case letters, special characters and numbers.
- In addition, a password with 8 characters is considered secure if at least three types of characters and multi-factor authentication are used. This can be done, for example, with a one-time password, which is also generated in an app.
The perfect password
But what else is important apart from the length? “A ‘good’ password is one that doesn’t follow any pattern, ie is completely random and one character is chosen from a character set of 100 characters for each character,” says Wacker. Remembering a good and, above all, long password for a wide variety of services sounds like a real challenge. But don’t worry, you don’t need an elephant memory, a password manager promises to help. “This is software that securely encrypts the user’s passwords and stores them in a file. Access to it is secured by a strong master password and potentially a second factor,” says Wacker. Since all passwords are in this software, special attention must be paid to security aspects when making the selection. Therefore, the software must be open-source, a good example of which is KeePassXC, advises Wacker.
The security question is used when the user has forgotten the password and still wants access to the corresponding account. But: “The security question is a very bad idea and was therefore also removed from the current NIST guidelines or even explicitly demanded that it no longer exist. It is absolutely correct – attackers (hackers) can also answer the security question, insofar as it is based on information that is somehow available or can be guessed, and thus bypass the strongest password,” says Arno Wacker. If the online service requires a security question, users should consider the same criteria as for a secure password.
Source:
- BSIaccessed 11/21/22.