Tips and hints for how to use passwords securely

“Change your password” tag

Since 2012, every year on February 1st is the “Change your password” day. The launch was made by US tech blogs and Gizmodo, which in 2012 wanted to generate a kind of positive group compulsion to change passwords. At least the most important passwords should be changed once a year. But is this really so sensible and important?

Whether changing the password regularly really leads to more security is at least debatable. If you look at companies’ password policies, users will be prompted to change every few weeks or months. This often leads to users giving themselves an easy-to-remember password, garnished with a number. Thus, “password!12” quickly becomes “password!13” at the next change. There is certainly no greater security.

Tips for a secure password

A secure password is not a witchcraft if you follow a few basic rules.

• Long passwords (at least 8 characters, better 15 or more characters)
• Use all character classes (uppercase, lowercase, numbers, special characters)
• No words from the dictionary
• Do not reuse the same or similar passwords with different services
• Using password managers
• Password change for security incidents and passwords that do not comply with the above rules
• Enable two-factor authentication when possible

Methods for secure password selection

A password becomes more secure the longer the password and the larger the character stock. This means how long it will take to calculate all possible combinations.

The character stock is size 10 if you only use numbers (0 – 9). If only letters can be used for a password, the character stock is already at 26 without and 52 with case. Numbers and upperandless letters result in 62 characters in the list of characters, with special characters one comes to 96 – 108 possible characters.

A 4-digit PIN – i.e. a short, simple password – has 10×4 possible combinations: 10,000 passwords. Calculating all combinations takes < 1 second. If you add uppercase and lowercase letters to the numbers, you will already get 62×4 = 14,776,336 possible passwords. But again, a normal PC needs < 1 second to calculate all combinations. With a password length of 12 digits, there are already 62×12 = 3 trillion > possibilities and it would take about 1,705 years for a normal PC to calculate all combinations. A cluster or a cloud would still take just under 6 years.

How to create a secure password?

There are several methods to create a secure password. One of them is the sentence method, which we briefly explain:

• Think of an easy-to-remember sentence: “My car is the fastest in the world.”
• Select single letters (e.g. first and last letters): Mn Ao it ds se dr Wt.
• Insert capital letters, sentences, and special characters: MnA01tss€drWt.

After entering this password five times, you will remember the tip pattern. This password gives 96×15 combinations and it would take over 500 million years to calculate all combinations. The Federal Office for Information Security (BSI) has some interesting tips for passwords and password security.