passwordA password is usually needed for online services authentication or the access to resources and data in a local network. While there are generally accepted principles, governing how a secure password should be composed, many people still have some problems to handle and manage the flood of passwords they need to create and keep track of.

Passwords are really safe only if they meet a handful of minimum requirements:  Passwords should, for example, be sufficiently long and possibly consist of a random character string. Simple sequences of numbers, names or terms that are also in dictionaries, in contrast, should be avoided at any cost.

To ensure that passwords meet the highest possible level of safety, it is important to consider the following basic tips when creating and using passwords:

Tip 1 - Passwords must not be written down: Only in exceptional cases is it advisable to write them down. Passwords must be treated with the same sensitivity such as debit cards or valuable bills. In no case should they be stored in the vicinity of the IT system.

Tip 2 - Passwords must be communicated to nobody: That means, the password should only be known to the user. Not even administrators or support personnel should have your password.

Tip 3 - Passwords must have a minimum length of eight characters and meet at least two of the following three requirements:

  • Letters [A-Z, a-z]
  • Numbers [0-9],
  • Special characters [ "", "§", "$", "%", "&", "(", ")", "=", "?", "#", "+", "*" , "-", etc.]

Tip 4 - Passwords must not be easy to guess: For example, first and last names, or birthdays, aren’t suitable for the matiords should never be used (such as 12345 or other adjacent characters such as "zxcvbnm").

Tip 5 - Passwords must be changed at least every 90 days: Of course there are always exceptional cases to consider, such as:

  • If passwords have become known to unauthorized persons, they have to be changed immediately.
  • If initial passwords are assigned, the reception by the user has to be confirmed, and the initial passwords must be changed immediately at first logon into the system.
  • Passwords must not be used as part of an automatic registration process. This means, for instance, that passwords must not be stored in a web browser or by using a macro or function key.
  • In case of group passwords being compulsory, it is imperative to change group passwords immediately when the composition of the group changes.
  • Passwords that have been used over an extended period are not to be used again.

Tip 6 - Formation of passwords: A very efficient method for the formation of passwords is the use of the initials of sentences. Take, for instance, a passage from a poem or a song you know. With the initial letters and punctuation marks, it is possible to create easily a very cryptic-sounding password, which can be easily remembered. Example sentence: "To be or not to be, that is the question" gives the following password: TbontbtitQ.

However, such a password is still not secure, containing only letters and no numbers or special characters, therefore please don’t forget to add them.

Tip 7 – How to create strong passwords from potentially unsafe ones:  A simple way is the replacement of letters with special characters that have a similar appearance. Of course, special characters or numbers can arbitrarily be interspersed in the password (such as e.g.  TbontbtitQ = Tb0ntbt1tQ)

Tip 8 – How to combat backlash of administrative overprotection: In order to protect against too simple passwords many administrators determine requirements (such as the minimum length and the use of special characters, numbers and letters) and force in addition the change of the password at relatively short intervals. However, exactly this forced practice is what security experts now red-flag, pointing out that in these cases the users either record passwords, use them for other purposes, and then generally tend to vary them only minimally. Attackers could exploit the situation and then crack the password relatively easily. In addition, the password changes usually cause increased support costs, as they are forgotten more often and have to be reset.  As an alternative to the forced password changes, the experts recommend therefore a logging of unsuccessful login attempts and informing the respective account owner so as to detect unauthorized access faster.

Last but not least, here are the most common and general password recommendations you should keep in mind:

  • Make sure to use a new password for each service, alternatively a universal password that must always be individualized in each case.
  • Avoid simple character strings and terms from dictionaries, rather use random sequences of uppercase and lowercase letters, numbers and special characters.
  • Make sure that the passwords have a minimum length of at least 8 characters - the longer, the better.
  • Use mnemonics, through which you can generate a secure password. For example, take from an easy-to-remember sentence the first letter of each word and punctuation, and supplement or replace individual letters with digits.

Optionally, you can also use password manager, in which the individual passwords are encrypted when stored and only you hold the master password. However, this master password should definitely be extra safe and you must also trust the providers in this case that the data is actually protected against intruders.

So much for that. Now it’s up to you to keep your data safe and protect your privacy!

By Daniela La Marca