World Password Day: Google security expert debunks six password myths

World Password Day
Google security expert debunks six password myths

What should you really pay attention to with passwords?

© marvent/Shutterstock.com

World Password Day aims to encourage people to take good care of their passwords. But there are also many myths.

How long and complex should a password be? Do I really have to keep changing my passwords? And should I always log out on websites? Andreas Türk, Group Product Manager Identity, Privacy and Security at the Google Safety Engineering Center (GSEC) in Munich, explains the six biggest myths about passwords for the news agency spot on news. The expert has been with Google since 2006 and works with his team at GSEC primarily on products and tools that are designed to enable users to protect their privacy and data.

Myth 1 – Complex passwords are more secure: A secure password must be eight characters long, contain a number, a special character and capital letters

“Creating complex passwords is generally a sensible approach – but only if a password manager is used for it,” explains Türk and also provides the reason for this. “Because people who use combined number-letter variants or special characters like to make the rest of the password simple so that they can still remember it.” His tip: “The longer a password is, the more difficult it is for bots and hackers to crack an account. Eight characters is the absolute minimum, twelve or even 16-digit passwords are better. Longer is therefore always better than more complicated. “

Myth 2 – Change Password: Passwords should be changed every few months

Renewing passwords frequently does not necessarily have to be beneficial in terms of security, Türk believes. “Anyone who has to change their passwords more frequently tends to use well-known passwords with small changes, for example ‘PASSw0rd2’ instead of ‘PASSw0rd1’. This increases the security risk.” He advises “especially words and strings [zu verwenden]which are easy to remember for users, but which others will very likely not think of.” A secure password must be changed “if it has fallen into the hands of unauthorized persons, for example as a result of a data leak”. With Google’s password check, users can and users check their passwords stored in their own accounts to find out whether their passwords may have been published after a data theft.

Myth 3 – It’s best to remember your passwords: Password managers are risky because they store all login credentials in one place

“Here it is very clear: The greatest security risk does not come from the password manager, but rather if the primary e-mail account is hacked,” explains the expert. “If an attacker has access to this account, he can reset all passwords relatively easily.” Türk is certain: “The advantages of a password manager clearly outweigh the risks. Users should secure their e-mail account as well as possible, preferably with two-factor authentication. Using secure, different passwords without a password manager is hardly possible. This smart tool not only generates strong passwords in a matter of seconds, but also bundles, saves and makes them accessible across devices on smartphones (iOS or Android) and desktops.”

Myth 4 – It only takes one good password: A single good password protects against all risks

The Federal Office for Information Security (BSI) writes on his website: “Yes, it is usually worth using a password manager. […] For your highly sensitive content, it is best to set up extended protection in the password manager. This can be achieved by setting up a second factor for important accounts.”

“Unfortunately, a password alone is never the safest way to secure data. It doesn’t matter how complicated or how long it is,” explains Türk. “Phishing, data misuse or the reuse of previous passwords pose a risk even for the supposedly most secure password.” Like the BSI, he advises: “Accounts should also be protected by two-factor authentication, especially for critical websites and applications. However, the latter does not replace the secure password, which is why both should only be used in combination.”

With two-factor authentication, users have to prove in two different ways that they are authorized for access. One factor is the password, the other can be, for example, a one-time password or confirmation code that ends up on the smartphone via SMS or an app.

Myth 5 – Stick to the rules: Password rules on websites ensure a secure password

“Most websites have certain requirements when creating a password that users must meet – usually a mixture of characters and lowercase and uppercase letters. According to a study by a French security institute, however, most people tend to use capital letters at the beginning and numbers at the end of their password,” explains Türk. So if you only stick to the specifications of a website, you are far from creating a secure password. “As always, when creating a password, the characters should be mixed well and at least eight, preferably twelve or even 16-digit combinations should be chosen.”

Myth 6 – Logging out makes sense: Automatically or manually logging out of websites protects

Contrary to the assumption of many, logging out on websites can even pose a certain risk. “The more often people have to enter their passwords, the more likely they are to use one and the same password – various studies have shown this. Constantly logging off and on websites is therefore actually counterproductive,” explains the Google expert. “It is advisable to deactivate the automatic logout function. Users should use a PIN and face or fingerprint recognition on their smartphone and laptop and remain logged in to websites and apps.”

SpotOnNews

source site-50