Complicated, long and changing as often as possible: these were the requirements for a good password for a long time. But they have long been considered outdated. Even overly complicated passwords are now discouraged.

It is k0Mpliz1rT: When it comes to password guidelines at numerous companies, authorities or websites, passwords cannot be complex or long enough and should be changed almost constantly. According to the new guidelines of the Federal Office for Information Security (BSI), these claims are no longer tenable.

With the recommendations for action that it has just published, the BSI finally wants to make secure passwords suitable for everyday use. According to the experts, this fails mainly because ordinary people are unsure of what really needs to be considered. “What makes a password secure is not always clear to consumers due to the large number of different guides,” says the guideline.

Secure passwords: finally clearer rules

The “first requirement” for the security of passwords is uniqueness: In order to master the overwhelming demands of countless passwords, many people use the same password for everything – and thus open the floodgates to hacks. If one account is compromised, attackers can also take over all others. The BSI therefore sees the fact that passwords are only used once as the most important recommendation.

The second recommended practice is surprising. “Overly complex passwords and constant password renewal are not very effective,” says the guideline. While the recommendation to reset passwords regularly was overturned a few years ago, the point about complexity is new. The clear statement: A password can be too complicated. The BSI sees requirements with long, meaningless strings in particular as counterproductive: you simply can no longer remember them. And consumers would therefore prefer to use passwords more than once – and thus violate the most important commandment.

Handy password tips

Instead, one should rather rely on long but less complex passwords, according to the advice of the experts. For example, by merging several existing words without context into a long new creation. In this way, the password is easy to remember, but difficult for an attacker to crack. An example would be a construction like GartenPizza-Ballpen, which can be mnemonic, but which, because of its length and the use of case and special characters, is difficult for programs to guess.

Last but not least, the BSI recommends additionally securing all services that support it using what is known as two-factor authentication. This ensures that when logging into a new device, even if the password is correct, a second confirmation such as a code created by SMS or generator is required. In this way, accounts are protected even if a password is spied on or otherwise stolen.

consideration for everyday use

With the new guidelines, the Advisory Board clearly addresses the actual handling of consumers. According to the report, they would react to the perceived high hurdles for passwords by making them even more insecure. Passwords are not only reused, but also too often created according to the same, easy-to-guess schemes, reused in variants or written down in insecure places in order to make them manageable in everyday life.

The often recommended password managers are still not a solution for many users. According to the BSI, many people find them too complex, do not trust them and are unsure whether they can use the passwords again in an emergency. Therefore, the programs are still recommended in principle. However, organizations should also communicate the possibility of keeping passwords written down on paper – as long as they are then stored securely.

It remains to be seen how strong the effect of the new recommendations will be. The guideline for constantly changing passwords has been considered outdated for a number of years, because in practice it means that passwords that are too simple are used in order to be able to remember them. The BSI has therefore been recommending for a number of years to avoid forced password renewal and only change passwords if they are insecure or if there is a suspicion of a compromise. In everyday life, however, this has by no means arrived everywhere: numerous companies, authorities and services still require regular password changes years later. The requirement for highly complex passwords should therefore remain in place for a while.

Which:BSI