“Simple” has long been a bad word when it comes to passwords. On the contrary, these should be as complicated as possible, unique to each account and, if possible, not set down in writing anywhere. This was the optimal strategy for passwords, as propagated by the Federal Office for Information Security (BSI). This strategy obviously massively overwhelmed users of online services, which ultimately compromised security due to evasive user behavior. Now there is a paradigm shift. A password should be suitable for everyday use. In addition, 2-factor authentication plays an important role.

No life without a password

Passwords have become an integral part of modern everyday life. However, it has become increasingly difficult for consumers to identify what makes a password truly secure. And if you had a secure password, you needed an equally secure but different password for another account so that in the event of an incident, you would only lose one account and not several or even all of them.

The major requirements for a password have so far been complexity and length. Both make it very difficult, even for IT-supported hacking attempts, to crack a password, for example using a random generator. For the user of such complex passwords, however, their bulkiness made having them available a major challenge. After all, such complicated passwords are not easy to remember. For many users, the solution was to write down passwords somewhere, which in turn amounted to breaking the recommended actions.

New recommendations for action

The BSI has now issued new recommendations for action that will make it easier for users to select secure passwords. The Advisory Board for Digital Consumer Protection at the BSI is responsible, and has dealt intensively with the topic. ( HERE )

The first commandment of password security: uniqueness

Each password should only be used for a single account. If this is spied on and misused by the user or the provider, the damage is at least limited to this single account. Many users will still have to adapt here, even if this requirement is nothing new.

Simpler instead of overly complex

In contrast, the overly complex passwords that have long been propagated are not very effective. This refers to a sequence of random characters (uppercase and lowercase letters, special characters and numbers) whose length exceeds the length currently required according to the recognized rules. If a password is too complicated, a consumer will not use it permanently. He will simply not be able to remember it, despite all the mnemonics and mnemonics, and will ultimately prefer to switch back to simple, memorable but vulnerable passwords. No, 1234 is not a good password. Neither is Bello's date of birth or name.

Long combinations of words instead of fancy strings

On the other hand, it is better to use longer passwords or passwords consisting of several existing words, which are less complex and easier to remember, instead of fantasy combinations of all available characters. A term like Gurken-Turbo#Klatsch is easy to remember using a mnemonic, but it gets password cracking software into a lot of trouble.

Don't constantly renew your password

Regular password renewal is now viewed as just as unhelpful. Once a password has been chosen, it should be used for a longer period of time. However, this recommendation is not new; it was made several years ago. But through various guides etc. it still haunts the online world. Passwords should be renewed at the latest when they are insecure (1234 or similar) or there is a suspicion that they have been compromised.

2-factor authentication

Wherever possible, consumers should use 2-factor authentication, also known as 2-factor authentication or 2-FA. Even if the password falls into the wrong hands on the part of the user or the service provider, there is still the hurdle of a second confirmation, if possible on a different device.

Response to problem analysis

With these recommendations, the BSI is responding to a joint study with the Federal Chancellery on account protection ( HERE ). Four points were identified here that question the current recommendations for password security.

  • Limits on how different passwords can be remembered,
  • Doubts about the effectiveness of a secure password,
  • Uncertainty as to when a password is secure enough
  • Paradoxical relationship between password requirements and password usage practices.

Risks also arise for service providers

The Digital Consumer Protection Advisory Board also complains that, in addition to self-selected “weak” passwords, easy-to-guess passwords or fixed login/password combinations are often stored directly in consumer IT by the manufacturer (standard passwords…). Nevertheless, consumers alone bear the risk in the event of an attack. Another risk lies on the provider side. Even the best passwords are of no use if they are leaked by the provider. If the consumer used them for several services because he had adhered to strict password requirements, there is considerable potential for damage.

Password managers are not an alternative for many people

For many users, it is not an alternative to using a password manager that stores self-selected passwords securely or offers a complex password generator or a master password. Apparently there is still a lot of uncertainty and little trust in this technology. Is it actually possible to access your own passwords at any time? Can unauthorized users possibly access the stored passwords? Do users really understand all the features of such a password manager? For example, they can warn about fake websites.

The BSI still considers password managers to be a good solution for storing passwords. But the new recommendations now also provide for organizations to write down passwords in the traditional way. As long as they are then stored securely and not easily accessible. So please don't put it in the top desk drawer, stick it under the table or stick it to the screen on a post-it... 😉

Usability before security

One of the most important lessons from the study on account protection is the realization that the security of an online account is of no use if the effort required is too great. If consumers have the feeling that the hurdles for a secure password are too high, this only makes them more insecure. This leads to caution being thrown out of the window, passwords being used multiple times, created according to an easy-to-guess scheme, or written down and stored in unsafe places (e.g. under the desk pad ;-)). In the future, usability should take precedence over safety when it comes to recommendations. Consumers are generally willing to meet high standards for passwords as long as they are offered a simple and secure way to store them.

The term 2-factor authentication is still very unknown

The term “two-factor authentication” (2FA) is known without further explanation to only 43 percent of all Internet users aged 16 and over. If the principle is explained, three quarters (75 percent) already know the principle of two-stage registration. The best-known and most frequently used two-factor authentication methods are SMS-TAN (85 percent known among “2FA connoisseurs”) and code via email (76 percent). Less than half of 2FA users would know what to do in the event of a loss/defect in the second factor.

Online banking (90 percent) and payment service providers such as PayPal (84 percent) are most frequently mentioned by those in the know as particularly worthy of protection. These high values ​​are not surprising, as 2FA has been made mandatory for such financial services. The email inbox is still viewed as particularly worthy of protection by 61 percent - however, at the time of the survey, only 17 percent of those in the know used a 2FA procedure to log in to their email service. ( HERE )

Why do consumers often not yet use secure login methods such as 2-FA?

The Advisory Board sees an important reason for this being that there are often no corresponding offers made through online services. The aim must therefore be for providers to increase security precautions through 2-factor authentication so that consumers can easily protect their accounts.

Source: BSI

Have you heard? Mimikama the belief? The Fact Check Podcast Part 15: Hate on the Internet!



If you enjoyed this post and value the importance of well-founded information, become part of the exclusive Mimikama Club! Support our work and help us promote awareness and combat misinformation. As a club member you receive:

📬 Special Weekly Newsletter: Get exclusive content straight to your inbox.
🎥 Exclusive video* “Fact Checker Basic Course”: Learn from Andre Wolf how to recognize and combat misinformation.
📅 Early access to in-depth articles and fact checks: always be one step ahead.
📄 Bonus articles, just for you: Discover content you won't find anywhere else.
📝 Participation in webinars and workshops : Join us live or watch the recordings.
✔️ Quality exchange: Discuss safely in our comment function without trolls and bots.

Join us and become part of a community that stands for truth and clarity. Together we can make the world a little better!

* In this special course, Andre Wolf will teach you how to recognize and effectively combat misinformation. After completing the video, you have the opportunity to join our research team and actively participate in the education - an opportunity that is exclusively reserved for our club members!


Notes:
1) This content reflects the current state of affairs at the time of publication. The reproduction of individual images, screenshots, embeds or video sequences serves to discuss the topic. 2) Individual contributions were created through the use of machine assistance and were carefully checked by the Mimikama editorial team before publication. ( Reason )