Zürich, 19. January 2021 – What to do with passwords? Change them regularly, or play it safe from the get-go? “Change Your Password” Day, which takes place annually on 1 February, is intended to encourage users to regularly change their passwords – but in light of the number of passwords the average user has to manage, that’s simply unrealistic. Nevis, the Swiss market leader in Identity and Access Management, offers some tips that work better.
The goal of “Change Your Password” Day, which was launched by the website Gizmodo in 2012 following a spectacular webshop hack in the USA, is a noble one. However, it’s not exactly realistic. Over time, even the moderately Internet-savvy accumulate dozens, if not hundreds, of passwords. Electricity and Internet providers require them to log into their customer portals. So do social media platforms, forums, webmail services, and online shop hosts. Anyone wanting to regularly change these passwords had better have a lot of time, patience, and a high-tolerance for suffering – or better yet, just skip it all together. At any rate, in its Compendium on IT Baseline Security published in early 2020, the Federal Office for Information Security (BSI) removed its recommendation to change passwords regularly. Five simple and basic rules guarantee better protection:
- Use every password just once: Reuse make sense for deposit bottles. However, this concept is simply misguided when it comes to passwords. People who use passwords only once have less to worry about should one land in the wrong hands. And that happens quicker than you think: the Hasso Plattner Institute’s Identity Leak Checker currently lists a staggering twelve billion user accounts seized during cyberattacks and published by hackers.
- Change insecure passwords: The frequent changing of passwords often results in the selection of short, and insecure passwords or making changes like e.g. “flower0815“ to “flower0816”. It’s different, but unfortunately not more secure. If you’ve still got passwords like these in your password pool, you’d better heed tip three right away.
- Choose a secure password: Whenever possible, your password should have capital and lowercase letters, numbers, and symbols. The length of your password is also key: if it’s 20 to 25 characters long, two character types are sufficient – ideal, for example, for remembering a sentence as a password. If the password only consists of eight to twelve characters, you should use all four character types.
- Use a password manager: Only a handful of people are skilled enough in the art of memorizing to remember dozens of passwords. Slips of paper, text files, and the like are not an ideal storage solution as they can get lost or fall into the wrong hands.
Instead, use a password manager that allows you to securely encrypt and store all your data. In addition to countless commercial tools, the freeware KeePass has proven successful for everyday use. Encryption is accomplished via a master password, which can also be strengthened through the use of a keyfile – e.g. on a USB stick or a special hardware token.
- Use two-factor authentication: Many online services now offer the option to boost the password process by adding two-factor authentication. In this case, an SMS code delivered automatically to the user’s mobile device, for example, has to be entered after the password has been entered. On top of that, passwordless authentication methods such as Face ID or a fingerprint are becoming more and more common. Whenever the opportunity presents itself, you should activate these options since they enhance the security of your accounts even more.
Convenience is the wrong approach
Anyone still using an insecure password along the lines of “123456” or “qwerty”, should really use the occasion of “Change Your Password” Day to close this gateway to cyber criminals. For everyone else: it’s not necessary to constantly change your password if it’s long enough and contains a sensible mix of capital and lowercase letters, numbers, and symbols. Moreover, two-factor authentication or a passwordless login procedure should be activated whenever offered.
Nevis develops security solutions for the digital world of tomorrow. Its portfolio encompasses passwordless logins, which are intuitive to use and offer optimal protection for user data. Nevis is the market leader for Identity and Access Management in Switzerland and secures over 80 percent of all online banking transactions. Public authorities, leading service providers, and industrial enterprises worldwide rely on Nevis solutions. The authentication specialist has locations in Switzerland, Germany, and Hungary.
LEWIS Communications GmbH
Ingo Geisler, email@example.com