How long and complex should a password be? Do I really have to keep changing my passwords? And should I always log out on websites? Andreas Türk, Group Product Manager Identity, Privacy and Security at the Google Safety Engineering Center (GSEC) in Munich, explains the six biggest myths about passwords for the news agency spot on news. The expert has been with Google since 2006 and works with his team at GSEC primarily on products and tools that are designed to enable users to protect their privacy and data.
“Creating complex passwords is generally a sensible approach – but only if a password manager is used for it,” explains Türk and also provides the reason for this. “Because people who use combined number-letter variants or special characters like to make the rest of the password simple so that they can still remember it.” His tip: “The longer a password is, the more difficult it is for bots and hackers to crack an account. Eight characters is the absolute minimum, twelve or even 16-digit passwords are better. Longer is therefore always better than more complicated. “
Renewing passwords frequently does not necessarily have to be beneficial in terms of security, Türk believes. “Anyone who has to change their passwords more frequently tends to use well-known passwords with small changes, for example ‘PASSw0rd2’ instead of ‘PASSw0rd1’. This increases the security risk.” He advises “above all [using] words and character strings that are easy for users to remember, but which others will very likely not come up with”. A secure password must be changed “if it has fallen into the hands of unauthorized persons, for example as a result of a data leak”. With Google’s password check, users can check the passwords they have stored in their own accounts. This is how they find out whether their passwords may have been published after a data theft.
“Here it is very clear: The greatest security risk does not come from the password manager, but rather if the primary e-mail account is hacked,” explains the expert. “If an attacker has access to this account, he can reset all passwords relatively easily.” Türk is certain: “The advantages of a password manager clearly outweigh the risks. Users should secure their e-mail account as well as possible, preferably with two-factor authentication. Using secure, different passwords without a password manager is hardly possible. This smart tool not only generates strong passwords in a matter of seconds, but also bundles, saves and makes them accessible across devices on smartphones (iOS or Android) and desktops.”
The Federal Office for Information Security (BSI) also writes on its website: “Yes, it is usually worth using a password manager. […] For your highly sensitive content, you should ideally use an extended password manager Set up protection. This can be achieved by setting up a second factor on important accounts.”
“Unfortunately, a password alone is never the safest way to secure data. It doesn’t matter how complicated or how long it is,” explains Türk. “Phishing, data misuse or the reuse of previous passwords pose a risk even for the supposedly most secure password.” Like the BSI, he advises: “Accounts should also be protected by two-factor authentication, especially for critical websites and applications. However, the latter does not replace the secure password, which is why both should only be used in combination.”
With two-factor authentication, users have to prove in two different ways that they are authorized for access. One factor is the password, the other can be, for example, a one-time password or confirmation code that ends up on the smartphone via SMS or an app.
“Most websites have certain requirements when creating a password that users must meet – usually a mixture of characters and lowercase and uppercase letters. According to a study by a French security institute, however, most people tend to use capital letters at the beginning and numbers at the end of their password,” explains Türk. So if you only stick to the specifications of a website, you are far from creating a secure password. “As always, when creating a password, the characters should be mixed well and at least eight, preferably twelve or even 16-digit combinations should be chosen.”
Contrary to the assumption of many, logging out on websites can even pose a certain risk. “The more often people have to enter their passwords, the more likely they are to use one and the same password – various studies have shown this. Constantly logging off and on websites is therefore actually counterproductive,” explains the Google expert. “It is advisable to deactivate the automatic logout function. Users should use a PIN and face or fingerprint recognition on their smartphone and laptop and remain logged in to websites and apps.”