{"id":5708,"date":"2022-02-01T11:50:40","date_gmt":"2022-02-01T10:50:40","guid":{"rendered":"https:\/\/staging.hws-gruppe.de\/?p=5708"},"modified":"2024-04-23T16:20:45","modified_gmt":"2024-04-23T14:20:45","slug":"heres-why-a-regular-password-change-is-nonsense","status":"publish","type":"post","link":"https:\/\/staging.hws-gruppe.de\/en\/heres-why-a-regular-password-change-is-nonsense\/","title":{"rendered":"Here’s why a regular password change is nonsense"},"content":{"rendered":"

The average German Internet user has 25 online accounts.<\/strong><\/p>\n

For this article, I counted my accounts\u2014just for fun: I came up with 37 online accounts with associated passwords. Alone as a private user. For corporate applications and various online portals that I use professionally as a marketing manager, there are certainly as many again. I really wonder who is dragging down my average like this …. You probably don’t, or you wouldn’t be reading this blog.<\/p>\n

And for each of these accounts I need\u2014you need\u2014credentials, in the vast majority of cases a username and password.<\/p>\n

\"Forgot<\/p>\n

And let’s be honest: Can you remember these access data?<\/strong>\u2014I am happy if I know which user name I have assigned or which e-mail I have entered during registration. Before I switched to our password manager DoubleClue<\/a> at HWS, this knowledge was extremely relevant for me, because I had to remember my password without technical help. That\u2019s why I had to hit the “forgot password”-button every time\u2014and I mean every time!\u2014I logged into an account. Of course, that can’t be the point of having passwords.<\/p>\n

The only exception was the password to my main email address, which I then carelessly kept for several years for logistical reasons.<\/p>\n

Carelessly? Considering that the German Federal Office for Information Security (BSI) has still called for all passwords to be changed regularly until 2020<\/strong>, one would have to say yes. For that, I diligently ignored the “change-your-password” day celebrated on February 1. Why not? Chances were very high that after changing the password of this email address, I would not have been able to get into any of my accounts afterward.<\/p>\n

At the same time, I don’t think I was careless with this long-standing and trusted password of my email address. Because this was the only one I had invested time in while I created it: long, complex, with special characters, numbers, upper and lower case, no direct reference to my person. The full program.<\/p>\n

Changing passwords regularly leads to frustration and tempts to insecure passwords<\/h2>\n

\"Frustration<\/p>\n

When I look at my other\u2014at that time\u201436 passwords (probably a few less), it looked different. It was mostly a relatively similar combination of one word and with a\u2014probably\u2014different ending. I can’t say that exactly, because as I said: I changed my passwords very often. But this did not make them more secure: on the contrary.<\/p>\n

My experience that the frequent change of access data leads to an insecure mishmash of easily crackable or then also guessable passwords<\/strong> is proven by various studies. The more passwords we have to remember, the easier they become. After all, who wants to sit frustrated in front of the PC every time because the log-in didn’t work (again)?<\/p>\n

In addition, we are usually quite unimaginative when it comes to assigning passwords: after all, we have to and want to remember them. And I’m not talking about the classics 123456<\/em>, qwerty<\/em>, Passw0rd<\/em>, etc., but also about\u2014supposedly\u2014individual passwords: Pet1!<\/em>, also in the variation Pet2!<\/em>, etc. The more often we change our passwords\u2014the more thinking power we need to remember them\u2014the more insecure and similar our passwords become. And that ruins the whole approach of protecting our online identity in the best possible way.<\/p>\n

That’s why the BSI now advises against changing passwords regularly. Because there are better options for truly secure access data.<\/p>\n

Long, complex, and unique access data is better than a regular password change<\/h2>\n

\"Complexity<\/p>\n

The most important security measures are strong and unique passwords. For the security, it depends\u2014attention!\u2014on the length of the password: Because the longer a password is, the more time software needs to crack it automatically.<\/strong> Just to give you an order of magnitude: With special characters, a software brute-force attack for an eight-character password takes just under 8 hours<\/a>. That is one working day. And we all know: That can take a while, but in the end, it’s over quickly.<\/p>\n

But it’s not just the length of a password that’s crucial: there’s also the issue with our lack of imagination<\/strong>: coming up with an individual password for 37+ log-ins is quite a challenge. For all those who still want to create their passwords themselves, there are tricks like “Use the first sentence of your favorite book and take the first letters as your password” or “Use three random words and combine special characters in this phrase<\/a>” if necessary. However, all of this is of limited help with the sheer volume of credentials.<\/p>\n

Fortunately, there are various technical solutions for this. At datenschutz.org<\/a>, for example, you can easily generate secure passwords according to current security standards. But how do you remember these complex passwords? I’ll come to that in a moment.<\/p>\n

Two-factor authentication: Because two barriers are stronger than one<\/h2>\n

\"Two-Factor-Authentication<\/p>\n

For now, it’s worth noting that there’s a simple technical way to make log-ins more secure<\/strong>. Many services, including various social media platforms, PayPal, Google, Windows, etc., now offer so-called two-factor authentication<\/strong> (2-FA). In some cases, 2-FA is even mandatory to use the service. This second login hurdle\u2014for example in the form of an SMS or push approval on the smartphone\u2014makes even the lumpiest log-in more secure. Of course, no one should feel tempted to use 1234<\/em> as a password, but two-factor authentication still protects your account even if the password itself has been cracked. With these accesses, it is, therefore, possible again to create memorable and short\u2014but also insecure\u2014passwords.<\/p>\n

Password managers are better at remembering passwords than we are<\/h2>\n