Time and again, our customers ask us for a secure password. The requirements for secure passwords are subject to constant change.
The requirements for secure passwords are constantly changing, mainly due to constant technological progress.
On the one hand, the methods for cracking passwords are constantly being developed further, while on the other hand, hardware is also constantly becoming more powerful, which means that even encrypted passwords that are less than a certain number of characters can now be calculated in a relatively short time even on comparatively weak home computers. In addition, there are of course various disclosed security vulnerabilities.
We update this article irregularly to reflect any technical changes; the basis of this article dates back to 2018, you can see the respective update date above.
User names? These are also part of security!
Before we look at the topic of passwords, we need to briefly discuss the meaning of user names.
We often come across "generic" user names, such as "admin", "editor" or "editor1". Such user names also jeopardize the security of your web application, as they are easy to guess and are included in the automated scripts of hackers/crackers. Therefore, if possible, do not use such generic names, but identify your users with "real" names. Then it will be much more difficult to guess the correct username/password combination!
You should also consider assigning an e-mail address to each user. This is the only way you can notify users if suspicious actions are carried out with their user accounts.
Criteria for secure passwords
In our opinion, a good password currently fulfills the following criteria:
- At least 16 characters long
- At least one character from each of the following character groups should be chosen:
- Capital letters
- Lower case letters
- numerals
- Special characters
- Under no circumstances should generally known data appear in the password. For example, your name, the name of your children, dates of birth, etc...
- Do not use passwords twice! If a certain access is compromised, you do not have to edit all other accesses as well.
Use a password generator!
Ideally, you should use a password generator. With the right settings, these passwords are then relatively secure.
Avoid online generators!
You should definitely avoid password generators that you can use online on a website. Ultimately, you have no control over what happens to the password you generate. For example, the password could be saved and then end up in the relevant databases (rainbow tables), which are used for brute force or dictionary attacks! Furthermore, in most cases it is very easy to access your browser history on the respective website, and subsequently even the service for which you generated the password could be identified!
Similar concerns must be raised for websites that supposedly want to test the security of your passwords. It makes sense to use a desktop program from a highly confidential source for such highly critical tasks. Ideally, the software should also be available in source code so that experts can determine whether or not the program has any other hidden additional functions by inspecting the source. The algorithm for determining security can also be checked for plausibility in this way.
Recommendation: KeepassXC
We therefore recommend the KeepassXC software. You can install this locally and you not only have the option of generating passwords, but you can also save them in an encrypted file! This allows you to conveniently generate a separate password for each access and you don't have to remember it. All you have to do is think up and remember a password for your KeepassXC database that is as secure as possible. You may also want to write this down and put it in a safe! If you forget it, your data will almost certainly be lost!
Typing in passwords is insecure!
You also have the advantage that you no longer have to type the passwords, which is a security advantage that should not be underestimated!
For example, if you type in a password at a lecture or on the street, with today's smartphones practically anyone can film this in high resolution without being noticed. And don't forget the countless surveillance cameras in public spaces, which are on the increase! If you then play it back slowly, your password can be easily tracked as you enter it!
Even malware from the keylogger group can be tricked in this way! Since you do not type the password, a keylogger only "sees": CTRL+C and CTRL+V. One fact is particularly interesting for users of Microsoft's Windows 10 (protected company, product or trademark): Microsoft has implemented a service in Windows 10 that, according to its own statement, "analyzes your typing behavior" in order to - allegedly - improve the user-friendliness of the keyboards and input options (handwriting, speech). As this service runs by default and, due to the closed source code, it cannot be determined whether the deactivation via the data protection center actually has any effect, the entire operating system actually falls into the malware/keylogger or malware/spyware category.
KeepassXC available free of charge for many platforms
Download the password safe KeepassXC at keepassxc.org and from many Linux distributions via official repositories.
KeepassXC is available for Windows, Linux and Mac OS. As the source code is open and can also be downloaded, you can also compile KeepassXC for FreeBSD, for example.
There are also some apps available for Android that can also read these files. However, you should also exercise caution with these apps! We currently recommend the KeePassDX app.
And of course there is also corresponding software for iOS users on iPhone or iPad, where we currently recommend the Keepass Touch app. For "standard users", this free implementation is completely sufficient from today's perspective.
Links to the manufacturers can be found below.
All recommendations without guarantee!
Deutsch 
English 
