“World Password Day” on May 3rd
Internet users are encouraged to double-check and improve their account and password security
World Password Day has existed since 2013 and has taken place on the first Thursday in May ever since. A strong password is important for denying unauthorised third parties access to online services. G DATA provides useful information for high account and password security.
Propaganda on a personal social media account: If the Turkish flag and a picture of Turkish President Recep Tayyip Erdoğan appeared on your personal Twitter wall, some people would no doubt become suspicious. Yet this is exactly what happened to the editor-in-chief of Der Spiegel, Klaus Brinkbäumer, on 14 January 2018. He is supposed to have posted on his Twitter account the sentence: “We would like to apologise for the bad news we have been reporting and publishing lately about Turkey and Recep Tayyip Erdoğan.” As it later transpired, the account had been taken over by third parties without permission. One of the reasons for this could have been an insufficiently secure password.
Text passwords such as those used in social media or shopping sites are and will continue to be an important component when it comes to securing personal online accounts from unauthorised third parties. For years, IT security experts have been working on the question of what a robust password needs to consist of to prevent an account from being taken over. Formerly, analysts and researchers agreed that a password should consist of at least eight characters and should not contain common and easy-to-guess words. This is still the case even today in the current password guidelines of corporate giants such as Google. The United States Computer Emergency Readiness Team (US-CERT) adds that users should use differently generated passwords for their accounts. The passwords must meet a range of complexity requirements, such as special characters and numbers as well as letters. The study “Let’s go in for a closer look: Observing passwords in their natural habitat” shows that people have passwords for an average of 26.3 different websites. In 80% of cases, they always use the same or minimally adapted passwords for these. This means that users are somewhat reluctant to use different passwords for different websites, because who can remember numerous passwords that are both complex enough and unique to the respective portal? The solution is a password manager such as the one in G DATA Total Security.
Assigned passwords are stored in an offline database on the computer with the help of plug-ins for the web browser. Only a master password to open the password safe is needed to ensure that they are protected against access by third parties. All the personally generated passwords can then be viewed and managed here. If users require a secure password, a cryptic password can be generated in the software with one click. However, it is better if Internet users think of separate passwords. G DATA provides useful tips on World Password Day:
- A password manager is helpful: As a user it is very easy to lose track of the right passwords used for the respective portal. With the G DATA Total Security Password Manager, this is no longer a problem. After installation, this appears as an icon in the browser and takes note of all the access data used on websites where password-protected accounts are accessed.
- Password length is key: A new approach has quietly taken over from many former recommendations - long passwords are better than complex ones. A password can still consist of numerous different punctuation marks, numbers and lower and upper case letters; but the longer a password is, the more variations a potential attacker will have to take into account.
Example: A password with six characters, consisting of lower case letters, would have almost 309 million combinations. This initially sounds like a lot, but a modern computer would guess such a password in around seven seconds. Yet it would take an attacker 66 years were the password to be extended by six characters to twelve characters.
- Use passphrases: Using a single word as a password is not sufficient for security purposes. Passwords such as “football 1234” or “password+” for example are too easy to guess. Hence a passphrase should generally be used that cannot be found in a dictionary yet is still easy to remember. This is important because cyber criminals use statistically probable combinations that quickly reveal common sequences of words and so render the password unsecure again.
Example: A passphrase can be very easily generated from the sentence “I am a good password for security purposes”. Many people do not know that a space can also be used in a password. This would give the following passphrase: “! @m @ g00d p@ssw0rd for s3cur!ty purp0s3s.”
- Change passwords appropriately: When you change a password, it should not be possible to derive the new password from the previous one. When doing this, many users add the number of a month or year, or a consecutive number, to the password. Other users change a good password to a somewhat simpler one to increase the convenience to themselves when logging in. In general, it is only worth changing a password when the website requires this, when a third party has carefully observed the password being entered, or it becomes known that a database for an online portal has been hacked. You can see if a database (and hence your own security) has been breached via websites such as “Have I Been Pwned”.
- Update immediately: Security updates are indispensable in times of Meltdown and Spectre if the protection of the computer or mobile device is to be guaranteed. The general rule here is to keep the operating system and the installed software or apps up to date and to install updates immediately.
- Two-factor authentication: Users should generally use two-factor authentication where available. The corresponding options might be called “two-stage login”, “login confirmation” or something similar. Facebook, LinkedIn, Dropbox, Google, PayPal and several other major service providers offer this option.
- Up-to-date virus protection: Desktops and notebooks as well as smartphones and tablets should always have up-to-date virus protection. People frequently assume that there are no security risks for mobile devices, as there is a prevalent and persistent misconception that they cannot be exploited for criminal activities. This is a risk that needs to be eliminated as quickly as possible.