A secure password consists of at least eight characters in upper and lower case, special characters and numbers in any order. This is known by most people. Nevertheless, only a few actually consider these criteria when assigning their passwords. IT expert Tobias Heintz from the University of Potsdam reveals why the topic of security is so important when using the Internet – even for you.
How to create a secure password
- Generate a random combination of letters and numbers.
- Select a total of at least eight characters as length.
- Alternate between upper and lower case letters.
- Names, birth dates, common words or keyboard patterns are not suitable as passwords.
- Change important passwords regularly.
- Never store your password digitally without encryption.
- Always keep your password secret.
Why your password must be strong
Everyone knows the sayings of those who have few qualms about using their online identity: "There’s nothing on me anyway."Or: "My data is of no interest to anyone."
This is exactly the kind of carelessness that can be a momentous mistake when it comes to personal passwords. Because just as in home burglary, it’s not just the prospect of the lucrative loot that’s appealing to cybercriminals, but the favorable opportunity.
Every insecure password is such a good opportunity. With stolen data, uninvited guests sometimes engage in identity theft – for example, they open user accounts in your name and make orders.
A secure password for every online service is indispensable, even if your e-mail, Amazon or Facebook account should not contain any overly sensitive data at first glance.
Unique passwords and single sign-on
Few users heed the basic rules of password security: long, complex combinations of characters in random order. After all, it is difficult to remember them yourself.
On the negative hit list of the most widespread passwords one finds therefore catastrophic security phrases like "hello", "123456" or simply "password. All hardly suitable for making life particularly difficult for hackers. You should also avoid PINs and passwords that consist, for example, of complete words, parts of your name or date of birth, telephone number or postal code.
Tip: Use initial letters of word sequences such as "chocolate for breakfast" = SzF. You should also change your PIN at regular intervals.
Beware of auto-completion
Many online stores and platforms now offer the option of logging in without specific registration, for example with the Facebook, Google or Twitter account or other data already in use – the so-called Single Sign-On (SSO). This is convenient, because the already existing user account serves as a master key for further offers.
But be careful: the SSO provider – for example Facebook – also gets a lot of information about you with this. Theoretically, he has access to all your activities on the pages you have connected through your user account, for example, to search entries or purchases made. With these findings, the provider then completes your online profile in order to reach you more in the future, for example, with suitable product advertising.
How to stay in control with yes®
The secure solution of the savings banks is the identity service yes®: With just a few clicks you can register on the portals of all savings bank partner merchants. You already know this from the single sign-on of other providers.
Your advantage with yes®: As a savings bank customer, you do not need an additional login to use yes®, but use the login of your online banking system. This increases your security. Because legislation has set the highest security standards for online banking, for example, thanks to two-factor authentication.
An overview in your online banking also shows you at any time when you have logged on to which retailer. This will make it easier for you to actively manage your registrations. For example, if you no longer need one of the connected sites, you can ask the company to delete your data and remove the connected account. You always keep track and control.
Another advantage for you: Merchants with the yes® seal are exclusively providers trusted by the savings banks.
The most important things about password security
- Basically long passwords are more secure than short ones. Your password should not be a simple combination of words, logical sequence of numbers, series of letters or a keyboard pattern.
- Names, dates of birth, and other information that can easily be traced by third parties are taboo when assigning passwords. Do not write down passwords digitally on the PC or other electronic devices.
- Protect yourself from strangers when you enter your passwords. This way you can exclude the possibility that those present read along and misuse your data.
- Passwords for Single Sign-On (SSO) – i.e. login data that allow centralized access to multiple applications – should be especially secure. Also, be mindful of which platform you allow to be that kind of general key. With yes®, the savings banks offer their own identity service that enables fast and secure online data transfer.
Pay attention to safety in the entire environment
As with many other online banking providers, the PIN at the Sparkasse usually has five digits. Other security measures include limiting failed attempts at PIN entry and using TANs to execute banking orders. Furthermore, the Sparkassen-Finanzgruppe has an infrastructure that meets the highest security standards.
To further secure you and your data, savings banks are working with a technology called two-factor authentication, or two-factor authentication. In this case, your identity as a user will only be flawlessly confirmed if you provide two independent characteristics.
Regardless of the PIN, you should also ensure the security of the device you use for online banking. This includes current software and browser versions, as well as, if necessary. Antivirus programs.
Mr. Heintz, as a private individual, do I have to deal with the issue of Internet security??
Yes, definitely. The feeling of "there’s nothing wrong with me" that many have is false. Not only large companies or very wealthy people are of interest to cybercriminals.
Fraudsters are not only interested in spying on company secrets or withdrawing huge sums of money from some bank accounts in their attack attempts.
How does a good password protect against this??
Hacking passwords can take a lot of time in some circumstances. If you have chosen an extremely secure password, even sophisticated programs will take years to create it. Many hackers do not make this effort. Or they will eventually give up.
But this also means that theoretically every password can be cracked?
Yes. If an attack is not stopped, the hacker’s programs will keep trying different combinations of characters until they find a password. As I said: This is how it looks in theory. In practice, no one does this work, because it requires extremely high computing power.
With simple passwords it is different. By simple passwords, I mean, for example, words from everyday speech such as "flower", "summer" or the like.
In this case, hackers have an easy time. They then work with a so-called dictionary attack. A computer goes through all the words in a dictionary and tries one after the other. This is quite fast, because there are not so many words.
What would be a better variant for a password?
The best way to secure yourself is to choose a random sequence of letters and numbers as a password. In order for hackers to get nowhere with the dictionary attack and possibly give up already because of this, there really must not be any connection. So your daughter’s name or your favorite soccer club are out of the question.
Let’s say your password is "Br87jUhvg". In this case, the dictionary attack cannot work, because these characters do not form a known word. However, to find out, there is also a way – the so-called brute force attack ("brute force"). A computer tries all possible combinations of characters.
Starting with A it continues with a, then AA, or Aa, or aA. As you can see, there are several possibilities for the combination of two identical letters alone. You can imagine how long it takes for the computer to get to "Br87jUhvg". The longer your password is, the more possibilities it has to go through.
It is assumed that a computer needs several billion years to hack a 20-digit password that has been created at random. This is simply not worthwhile for fraudsters anymore.
And what is your tip for remembering complex passwords?
I know, everywhere it is advised not to write down passwords and to hide them for example in the desk drawer. This is actually not ideal.
In my opinion, however, it is better to have a very strong password and write it down than to have a password like "poppy". The probability that you will be burgled and the burglar will take this note is small. It is much more likely that hackers will try to access one of your accounts. They can do it from anywhere in the world and at any time. And without you or the police surprising them.
How do you remember all your passwords?
Since I use a password manager, I have to remember only one password. This is extremely practical and secure at the same time. The program I use stores, encrypts and manages all my log-ins. So it combines the usernames of e-mail addresses, accounts for online shopping or online banking with the corresponding passwords.
These passwords are created by the password manager itself. Exactly according to the pattern I have already described: It chooses random character combinations and they have up to 20 digits.
A hacker only needs to know your master password to get all your passwords. That’s pretty insecure?
No, it is not insecure. It’s true: A hacker would only need this password. But since the password manager is stored locally on my computer and on my smartphone, he can’t access it at all. When I enter my master password, I don’t do it over the Internet. So hackers have no way to attack my password via a data connection.
Another plus: the password manager encrypts all stored passwords. Even if a hacker would have access to my log-in: he still would not see the passwords.
Is there anything else besides a secure password to protect yourself from hacker attacks?
You probably know the saying "double is better". This is also the case when it comes to Internet security. Many e-mail providers or online stores therefore now offer their customers so-called two-factor authentication.
Instead of logging in with just your password, you need to identify yourself a second time. With Amazon, for example, this works via a code that is sent to your cell phone by text message or with the help of an app. You cannot access your account until you enter your password and then the code.
This is really a great way to protect your personal data. And it can now be easily activated at many online merchants and also payment providers.
In online banking, these two levels have already existed for some time.
True. You first log in to online banking with your password. If you then want to initiate a bank transfer, you also need a TAN*.
Your transactions are really safe if you keep one thing in mind: For example, have a TAN sent to your smartphone should you complete the transfer on another device. This is also part of the two-factor logic.
Because imagine someone gaining access to the one device you work with. Then this person can simply read out both your log-in data for online banking and the necessary TAN and then debit money from your account.
The same is true if you want to use two-factor authentication at Amazon or any other company. The second security step should always be done via a second device.
*Please note: Since 14. September 2019 also enter a TAN every 90 days to log into online banking.