Who has the choice is spoilt – so they say.
Many Internet users find it particularly difficult to choose the right passwords. So it’s not surprising that badly chosen passwords such as 123456 or qwert are at the top of the hit list of particularly frequent IT security deficits. For those who take the trouble to use a somewhat more complicated password instead, it is not uncommon for one and the same password to be used for many different programs or access points. Hackers, of course, enjoy all this. They have tools that automatically try out all possible combinations of characters, test entire dictionaries including common combinations of words and appended numbers, or try out access data published on the Internet for all kinds of services. To prevent this, a password should meet certain quality requirements and should only ever be used for one access.
In addition, passwords are not only used to protect confidential data. An example: It is now common practice to create an account or access (account) with various providers on the Internet. The login to this account is protected by a password. What could happen if someone logs in there under your name? Who would like strangers to be able to send e-mails under their own name or bid for expensive goods on the Internet?
Therefore: Use the following recommendations for creating and handling passwords – and do something for your security.
Tips for a good password
- There are no limits to your creativity when choosing a password. It is important that you can remember the password well. There are different help strategies for this: One remembers a sentence and uses only the 1st letter (or only the second or last letter) of each word. Afterwards, you may still convert certain letters into numbers or special characters. The other uses an entire sentence as a password or strings together different words connected by special characters. Another possibility is to randomly select 5-6 words from the dictionary and separate them with a space. This results in a password that is easy to remember, easy to type and difficult for attackers to break.
- The general rule is: The longer the better. A good password should be at least twelve characters long. For example, with encryption methods for WLAN such as WPA and WPA2, the password should be at least 20 characters long. So-called offline attacks are possible here, which also work without an established network connection.
- As a rule, all available characters can be used for a password, such as upper and lower case letters, numbers and special characters (spaces, ?!%+…). Some providers of online services make technical specifications for the characters that can or should be used. If your system allows umlauts, please remember when travelling abroad that it may not be possible to enter them on local keyboards.
- Not suitable as passwords are names of family members, the pet, best friend, favourite star, dates of birth and so on. If possible, the full password should not appear in dictionaries. It should also not consist of common variants and repetition or keyboard patterns like “asdfgh” or “1234abcd”. Some providers compare passwords against a so-called “black list”, which contains exactly such unsuitable passwords. If you want to use them, you will receive a message that the password is not allowed in this form or is not secure.
- You can add simple numbers at the end of the password or one of the usual special characters $ ! ? # at the beginning or end of an otherwise simple password is not recommended.
- Instead, consider using a password manager to manage your different passwords well and use your strongest password to secure it. This way you only have to remember one good password and you can still use very strong passwords that are different everywhere.
Two-factor authentication for higher security
Many online service providers now offer procedures that allow users to identify themselves when logging into an account in addition to entering their password. This so-called two-factor authentication is available in numerous variants, which can range from individual code via SMS to a hardware-supported TAN generator. Hardware-supported procedures in particular offer a high degree of security and should be used in addition to a strong password if possible.
How does a log-in with a second factor work?
A multi factor authentication often starts with the usual entry of a good password. The system into which the user wants to log in then confirms the correctness of the password entered. However, this does not lead directly to the desired content – as is usual with simple systems – but to a further barrier. This prevents unauthorised third parties from gaining access to user data or functions just because you have gained possession of the password.
Many common two-factor systems resort to external systems after the password request to perform a two-stage verification of the user. This may mean that the provider you want to register with sends a confirmation code to another of your devices, such as your smartphone. However, the second factor could also be your fingerprint on an appropriate sensor or the use of a USB token or smart card. Only when you also have this means of confirming your identity will you be able to access the requested content and use the online service or device.
It is important that the factors come from different categories, i.e. a combination of knowledge (e.g. password, PIN), possession (e.g. smart card, TAN generator) or bio-metrics (e.g. fingerprint) is used.
Instead of the service provider checking various factors one after the other in several stages, some procedures also combine several factors directly with each other. For example, the factor “possession of chip card” can only be used together with the factor “knowledge PIN” in the online ID card function of the ID card. Authentication with the service provider only takes place with both in combination. This offers even greater security than the sequential checking of a password and a separate second factor.
What are common systems for two-factor authentication?
In principle, a second factor always increases security, but the way in which the second factor is implemented and used is also important. Essentially, the following groups of two-factor authentication methods can be distinguished:
TAN/OTP systems as a second factor after a password: A TAN or OTP is a one-time password that can be transmitted as a second factor. In the past, TANs were provided in advance on paper lists (iTANs), but this procedure has been regarded as no longer secure enough for some time. TAN generators (hardware) or authenticator apps (software) that constantly generate one-time passwords on a time or event-based basis are better. Even more secure are TAN generators that also include data from the transaction (e.g. account number and amount) in the generation of the TAN (eTAN, chipTAN).
Alternatively, the TAN is transmitted to the user by the service provider via another transmission path or to another terminal device. The most common way of transmitting the TAN is via SMS (mTAN, smsTAN), possibly with additional transaction information. However, it is not advisable to use the same device for receiving the mTAN as for logging in or using the service (insufficient separation of factors).
Cryptographic token: A cryptographic token stores a private cryptographic key. Authentication takes place by sending a request to the token, which the token can only answer correctly using the private key.
The key can be stored as a software certificate (known from various tax systems), but more secure is the storage in hardware on a smart card (HBCI, signature cards) or a special USB stick/NFC token (FIDO/U2F). The identity card and the electronic residence permit also contain a secure key memory and thus enable the online identification function.
Bio-metric systems: Bio-metric systems verify the presence of a previously recorded unique physical characteristic (fingerprint, face, retina). Bio-metric features are normally not “secret”, so that life recognition is important so that the systems cannot be tricked, e.g. with a photo.
Current recommendations and draw-backs
- Apply two-factor authentication as soon as an online service allows this.
- Many services have this feature disabled by default, but still offer it. It is worth checking the log-in procedures.
- If your password or PIN falls into the wrong hands, your sensitive data is still well protected if it is shielded from unauthorised access by the further barrier of a second factor.
- Multi-factor authentication slightly prolongs the login process. On trusted devices it may be skipped, but this in turn reduces security.
- If you no longer have access to your possession-based factor, or it breaks down, you usually lose access to the corresponding service or its functionality is restricted. In this case, make provisions by storing several “second factors” if possible (e.g. another token, another TAN app or another mobile phone number for mTAN).