Change Your Password Day: Groundhog Day for Your Passwords
It's that time again, it's "change your password day". Time to remember good habits.
(Image: Erstellt mit KI in Bing Designer durch heise online / dmk)
"Change your password day" is repeated on the first of February every year. IT experts agree that it actually recommends counterproductive behavior: frequent (forced) password changes do not ensure more secure passwords, as most people come up with an easy-to-remember (and therefore easy-to-crack) scheme. They often use passwords derived from a simple pattern, regularly linked to years, for example.
It is therefore better to change passwords if they are too weak, have probably been cracked – or are part of one of the frequent data leaks. A practical tip is quickly at hand here: use a password manager! It only requires a master password or even a biometric identifier to unlock it and then records any number of complex passwords for accesses. It can typically even be synchronized to several end devices via the network. This increases convenience enormously. Each account is given its own hard-to-crack password, which users don't even have to remember, as the password manager makes it available on desktop PCs, tablets, and smartphones alike.
Passwords are more secure and more convenient
Password managers usually also come with integrated password generators. They help to create such difficult-to-break passwords automatically. The complexity can usually be set as desired.
As access with a password and account name only provides insufficient protection against phishing or trying out access data from data leaks, we have long recommended activating multifactor authentication (MFA; also known as two-factor authentication, 2FA) wherever this is supported. On new devices, you have to prove that you have another factor in order to identify yourself as the real account holder. This makes it significantly more difficult for criminals to access accounts.
Using an authenticator as an app on your smartphone, for example, also significantly increases security compared to 2FA with SMS; the SMS variant has often been successfully attacked, and the CCC, for example, explicitly advises against it. If possible, you should even use passkeys instead of passwords with MFA. This gives phishers no chance. It is not without reason that Germany's highest IT security authority, the Federal Office for Information Security (BSI), recommends the use of passkeys.
The basics clarified
These tips and advice are nothing new. On the contrary, IT experts repeat them wherever possible. Anyone who has not implemented them so far has either been very lucky or simply does not want to and lives with the risk.
(dmk)
