nach oben
nach oben
© Getty Images | matejmo
Information Security
"123456" is not a secure password
by Judith Morgenschweis

The first of February was "Change your password day". And even if it doesn't necessarily make sense to constantly change all the countless passwords, the list of the most popular passwords in 2021 casts a little doubt on internet users' ability to learn.

A little test: Is one of your passwords "123456"? If so, then you are in a top position. Because as in 2020, this is the Germans' favourite password. Last year, it was followed by the highly imaginative "password" and the number combination "12345". At least that's what the Hasso Plattner Institute found out using its Identity Leak Checker. Millions of users use this free online service to check whether their personal data is circulating on the internet in connection with their email address.

Conversely, this means that these passwords can be hacked in a fraction of a second. This is because they are short and do not use a combination of upper and lower case letters, numbers and special characters - two important factors for secure passwords.

However, it is downright negligent if the same password is used for different services and access points. This is because one of the most important rules for secure passwords is to create a separate password for each access point. REWE Group therefore also prohibits its employees from using company passwords for private access in its Information Security Policy.

So here are the most important tips for secure passwords:

1. Use passwords that are as long as possible (more than 15 characters) and use upper and lower case letters, numbers and special characters.
2. Combine several words into one. For example "TorqueAndPower". Use a "password safe". And if you don't want to use one, just change the password slightly for the services you use, DrehmomentUndLeistung@eb for Ebay, DrehmomentUndLeistung@az for Amazon, etc.

In this way, the password remains secure, individual for the services used and still easy to remember.
3. Choose a new password for each service. Do not use words from the dictionary.
4. If possible, activate two-factor authentication
You can also find more tips and information in the SecurityInfo app, which you can download from the Apple, Google and REWE app stores.

My comment
Comment
Comments

Both German and English comments appear here.

Marko Klein
3 years and 5 months ago

In my opinion, the tips are extremely dangerous. The reason why you shouldn't use the same password for different services is that there are still a lot of services that store passwords in plain text and that hackers manage to penetrate the systems of services from time to time and steal them. If there is a simple, obvious rule to turn the password for Amazon into the password for eBay, the security gain from using different passwords is no longer very great. Unfortunately, there is also still a widespread lack of password policies that force users to change their passwords regularly, imposing conditions on which character categories must be present and requiring, for example, that the password must not match any of the last 10 passwords and similar jokes. What is completely forgotten in these technocratic security approaches is the human factor. Who can constantly think up and memorise new, creative, unguessable passwords and then remember them for every new service? In the end, all people have to do is resign themselves and choose a potentially insecure password scheme. Password managers can at least help to maintain different passwords for different services that are not derived from each other by a rule. It would actually be best if security could be used via crypto hardware such as FIDO tokens, the EID function of the ID card or similar for as many services as possible.

Comment
Andreas Thimm
3 years and 5 months ago

Hello, Mr Klein, thank you for your comment, which I would like to comment on. The number of websites that actually store passwords in plain text is very small, and these certainly do not include the major online service providers. Furthermore, stolen or decrypted passwords are practically never "checked" individually by the attackers, but are used automatically against other providers. In any case, individual customisation to the target systems represents a significantly higher level of security than if the user used the same password everywhere for reasons of laziness or memory. Regarding the complexity or age of passwords: the security officers at REWE Group agree with you and most colleagues at other large companies; unfortunately, however, there are always technical reasons that prevent an immediate switch to sufficiently long passwords combined with a low change frequency. However, our IT companies are working on a solution to this problem for REWE's own applications. Finally, to your last point: the article is addressed to all of us "privately". FIDO, EID, 2FA or others are certainly great and desirable, but only a very small proportion of all users will be willing and able to use these procedures (even permanently!). Amazon and GMX will not want to exclude the majority of their customers!