Regularly changing passwords no longer provides the additional security it once did for online accounts. A strong, complex password, when used exclusively for a single account, can remain secure for many years without the need for frequent updates.
The German Federal Office for Information Security (BSI) has long ceased recommending regular password changes in its basic IT security guidelines. However, it remains essential to change your password if there is suspicion of unauthorized access or if the password has been compromised. Additionally, pre-set passwords for various electronic services and devices should be updated.
The Risks of Frequent Password Changes
Frequent password changes can lead to user frustration, often causing individuals to opt for simple and weak passwords or reuse the same password across multiple accounts. This practice is extremely risky, as it can lead to the compromise of all online accounts if a password is leaked or hacked from one service. This is especially critical for email accounts, which often play a central role in resetting passwords for other online services.
Creating Strong and Memorable Passwords
The BSI emphasizes the importance of creating strong, complex passwords that are difficult to guess, while ensuring they are not so complicated that users struggle to remember them. One helpful technique is using a passphrase—creating a password from the initial letters of a memorable sentence or phrase. However, because it’s challenging to remember too many passphrases, the BSI recommends using a “password sheet strategy,” where the first part of the password remains constant across all accounts, and the second part is unique to each account. This can be securely recorded on a password sheet, ensuring that even if it falls into the wrong hands, the user’s accounts remain protected.
Password Managers: Simplifying Security
An easier alternative is to rely on password manager programs. These tools generate, store, and manage complex passwords, allowing users to use different strong passwords for each account without the need to remember them all. Most password managers can be synced across multiple devices, from smartphones to laptops, and even across various operating systems and platforms. One popular free option is Bitwarden.
Two-Factor Authentication (2FA)
Given that passwords can be compromised through phishing attacks, hacking, or data breaches, the BSI strongly recommends enabling two-factor authentication (2FA). With 2FA, users must enter an additional code each time they log in, even if someone has stolen or guessed their password. This adds an extra layer of security, ensuring that unauthorized access is blocked.
Additional codes can be generated through smartphone apps. Apple iPhones come pre-equipped with a 2FA verification system, while Android phones require a third-party app like the free and open-source Aegis app to generate one-time passwords for login.
Regular Access Checks
It’s also crucial for users to periodically check if their login credentials, such as email addresses and passwords, have been compromised or exposed in a data breach. In such cases, passwords should be changed immediately. Users can easily check this by consulting databases like “Have I Been Pwned?” or “Identity Leak Checker.”
Passwordless Authentication: The Future
Looking ahead, a new technology called passkeys promises to allow users to log in without a password, provided the service supports it. The BSI currently recommends using passkeys, as this method offers several advantages over traditional passwords.
Passkeys rely on a pair of encrypted keys (public and private), with the private key stored by the user and the public key held by the service provider. To log in, the user simply needs to authenticate with their private key using methods like fingerprint recognition, facial scanning, or a personal identification number (PIN).
Although passkeys may sometimes be linked to a specific device or operating system, progress is being made in making them easily transferable and synchronized across different devices. Many password managers now support passkeys or have announced plans to do so, providing users with a simple and secure transition between different security measures.
