Password guidelines on the test bench

May 7 is World Password Day – again one of those many days of action that nobody needs? Certainly not! Every year we are reminded of our small daily offences such as the multiple use of passwords. There is disagreement about the password rules that are published anew or recycled every year and users are confused: “Should I change my passwords again, maybe a few more special characters and what does actually apply?” We’ll fight our way through the jungle of rules and regulations for you and clear it up.


Exchange password regularly – yes or no?

At first, experts advised to change your own passwords regularly. Then the German federal office for security in information technology (BSI) told us to do this only if the password had fallen into the wrong hands. But why this disagreement? With theoretical rules, one has to be careful whether they are ultimately practicable to implement. After all, exchanging every password regularly is quite costly for the normal end user. If he does so, he tends to assign new, weaker passwords or change them only slightly à la “Password1”. The BSI therefore concluded that it would be better to advise against this rule, as once complex passwords have been set they are more secure than new ones that are only changed minimally and whose complexity is constantly decreasing.

But the correct tip would actually be: Exchange passwords? Yes! Define new passwords yourself? Absolutely not: Password management systems are equipped with extra functions such as password reset and synchronization. In Password Safe, secure passwords are automatically reset on end applications after freely definable periods. Double security: the new password can be reset to an unknown value! Because in this case the motto is: “Only what you don’t know can be protected”.

Complex and long – still relevant?

Length and complexity go hand in hand. Because a good password can be “short and complex”, but also “long and simple”, as the BSI correctly states and recommends a minimum of 8 characters depending on the character type. The crux of the matter with a minimum number, however, is: If everyone adheres to this guideline and hits this length exactly or exceeds it only minimally, it is an indication for hackers that they will find it easier to decrypt. So always take password rules for what they are: Minimum requirements room for improvement. Allow yourself a few more characters. This does no harm or require any effort, since you (should) use a password generator anyway …

Special characters, numbers & Co? Logo – but only illogical!

Can you read this first name: “N8d1A”? Congratulations, your hacker as well! The rule to use at least 2 special characters, 2 numbers and 2 capital letters each makes sense. But then please do it correctly! Replacing letters with similar-looking numbers has long been seen through by computers. So definitely use characters and numbers. These must not be expected, but set randomly. Sounds exhausting? It is. The compromise between security and applicability is again to urgently use a password manager that does the work for you. So there are no limits to “%&/)(§%” and you can sit back and relax when password guidelines are being tightened up again next year.

In conclusion, it can be said that all password rules must be considered as a whole. There is no point in following one rule and ignoring the other. After all, effective password protection only works as part of a complete package!