You've probably heard the lesson dozens of times: A password must be over eight characters long, contain special characters, punctuation marks, uppercase and lowercase letters, numbers, and maybe even a few emojis.
It should never be handwritten.
Passwords must not contain any data that is easy to remember but also easy to guess, such as one's own birthday or the names of pets, they must not be used more than once, and it is best to exchange them constantly.
At the same time, we regularly read about new major data leaks where our well thought-out passwords leak from online platforms.
The reaction is as absurd as it is understandable: instead of internalizing the rules of good password hygiene and living by them, users circumvent the rules.
For example, anyone who uses “Password123 office” for the work PC and “Password123 private” for everything from Netflix to Facebook to the tax office is formally following the basic rules of security, but in practice makes it unnecessarily easy for hackers.
If the IT department on the job specifies a password that is impossible to guess and at the same time unreadable, many office workers write it down on a sticky note and stick it on the monitor.
Or they save all passwords in the browser so that every intern, craftsman and colleague has full access to all systems during a coffee break.
The "Digital Consumer Protection" Advisory Board of the Federal Office for Information Security (BSI) is now proposing to forget some of the old rules and to acknowledge that the previous approach was not very successful.
In the recently published recommendations for action, the committee calls for a rethink: If users refuse what the IT department and software manufacturer consider safe, the problem is not necessarily in front of the keyboard.
As a first step, the Advisory Board encourages employers to recognize one simple fact: strong passwords are not trivial.
On the one hand, employees have to be given the time and, on the other hand, the tools to deal with it sensibly.
This includes, on the one hand, easy-to-understand instructions, which, however, avoid even the word »simple«.
If you don't know a 12-digit password off the top of your head by heart, you are not underprivileged, but completely normal.
Write down passwords, but correctly
This is what a seemingly revolutionary suggestion from the paper aims to do: »Writing down passwords should not be presented as negative per se.
Consumers should be given instructions on how to keep passwords safe on paper.« In other words: If you have forgotten your password, a backup is not a sin.
But it shouldn't be found by everyone in two minutes.
Of course, not all classic password rules are pointless.
But they are often worded awkwardly and come across as arrogant.
The BSI recommends a common method for creating passwords on its own websites: you take a complete sentence with a number and use the first few letters to generate a password that conforms to the established rules.
From
»
I
prefer
to
eat
P
izza
w
ith
four
ingredients
and
e
xtra
K
_
_
_
äse" becomes the password "AleiPm4Z+eK!" Simple, right?
Until you sit in front of the keyboard and can't remember whether you turned the "and" into a "u" or a "+", or the log-in fails because you forgot the exclamation mark for the third time.
Fans of comic artist Randall Munroe have known for years that a simple combination of words such as "correct horse battery staple" is at least as difficult for computers to crack as the illegible mishmash of letters and special characters.
Although the BSI now also recognizes this fact in footnotes, there is a problem with something else: Many providers simply forbid their users to have such long passwords and insist on different types of special characters.
Learn from drug dealers
If you want to use passwords without risk, you can learn something from drug dealers: You have to realize what the so-called attack model is that you actually want to protect yourself against.
If you share your Netflix account with extended family, for example, you shouldn't use the same email address and password to log in to Facebook - unless you want to hear your own private chats at the next family gathering.
Or in the words of the BSI Advisory Board: "The 'first rule' for password security should be the uniqueness of passwords."
In the case of important accesses in particular, it is necessary to increase security: a "second factor" is added to the password.
This can be an app or a specially secured USB stick that you have to connect to the computer to log in successfully.
If you want to log in to the tax office, for example, you first need a digital key.
For unimportant accounts, however, data economy is recommended.
If you simply need an account to access the list of recipes in a hobby cooking forum or a playlist in the Arte media library, you don't need a second factor, but you should avoid attackers being able to work their way from account to account.
Password managers are a valuable tool for not getting lost in the flood of passwords.
However, many users distrust the basic concept because they do not want to risk losing all their accounts at the same time.
Or they are afraid of being ripped off afterwards if it would be too expensive to switch to another service.
Here, the consumer protection advisory board promotes better education.
Another help for throwaway accounts are throwaway email addresses.
Many providers such as Mailbox.org offer temporary email addresses or pseudonyms that can be created quickly.
If a different email address is used for each account and personal data is missing, hacked accounts are a dead end.
And if you see that your account has been hacked, you can delete the associated email address.
Our current Netzwelt reading tips for SPIEGEL.de
»How a student lost all her savings to Europol rip-offs«
(nine minutes of reading)
A huge wave of fake calls is currently rolling through the country: the callers claim that they are calling from Europol and are trying a whole range of tricks to get the victims' money.
Most hang up on the calls right away, but anyone can become a victim of scams if caught at the right moment and with the right story.
"How to sell drugs online without getting caught" (four minutes of reading)
At the Defcon hacker conference, a former drug dealer gives tips on how to protect your own identity.
Some of his advice is also useful for ordinary people, but others endanger the innocent.
»For a long time I thought that anyone who writes viruses is a bad person.
But it's not that simple« (five minutes of reading)
Mikko Hyppönen has been hunting criminals for over 30 years, but also analyzes state Trojans.
He spoke to Patrick Beuth about criminals who blackmail patients in a psychiatric facility, his new book and late-night pizza meals.
External links: Three tips from other media
»The Rise of the Worker Productivity Score« (English, ten minutes read, subscription)
In more and more professions, computers monitor every work step and record exactly when and how much was done.
The »New York Times« shows how even pastoral care in the hospice becomes a kind of assembly line work.
»Putin fan by profession« (video, 12 minutes)
In »Tracks East«, the critical Russian medium doschd, which has long been banned in the country, has found a slot in exile.
The journalist Mascha Borzunova shows how Putin's war is being legitimized in Russia - also with the help of supposed "Western journalists", who hardly anyone in this country knows.
»Photo of people having fun with statues«
What is missing in view of the serious situation in the world?
A little silliness.
This Twitter account delivers what its name promises.
I wish you a good rest of the week
Torsten Kleinz