Old habits are tough, this applies to companies as well as to private individuals. Although we have known better for a long time, many companies still oblige their employees not only to make passwords very complex. They should also be changed every few months. And who can remember that? Exactly, nobody. So you stick them to the monitor or to the bottom of the keyboard. Or always uses the same scheme and only changes one or two digits. Both are of course an invitation for hackers.
Even worse is using the same password for multiple services. This increases the risk of it falling into the wrong hands through a security hole and then being used for all sorts of things. So it really is time to break these habits. The fact that the Federal Office for Information Security (BSI) now sees it that way is correct, but also overdue. The authority advises – like many experts for a long time – against overly complex passwords that have to be changed often.
But why should criminals even care about the passwords of normal people and how do they actually get there? For example, you can misuse functioning access for online mail order companies. Or they sell the captured data. This makes sense especially when you have a lot of them. And that’s what the criminals get, for example, when they exploit an error when setting up a database. If this happens to a large provider, several million combinations of email addresses and passwords can end up on the black market. For companies, for example, it is about gaining access to the company network. Once the criminals are inside, they can often continue digging through to the company’s data treasures – or place an encryption trojan that encodes all data and only releases it again for a ransom.
The passwords are usually encrypted, but laypeople completely underestimate how quickly passwords can be cracked with easily available programs. If you unleash them on a list of stolen online accesses, it only takes a fraction of a second for the first passwords to appear in plain text. These are the ones for those careless or clueless people who still think 123456 or their dog’s name are good passwords. Whole dictionaries are compared with the encrypted data at an unbelievable speed – and often enough there are hits.
To avoid this as far as possible, three things help: First, passwords should be long. The longer, the longer the crack programs need. In order to be able to remember the passwords more easily, you can use the first letters of a sentence. The previous record would look like this: UsdPlmzk,kmdAeSv. Even better, digits are also included, which further increases the difficulty for the attackers. An example: A password with five lowercase letters is cracked in 0.07 seconds. On the other hand, one with eight small and large letters, special characters and digits keeps the computer busy for a year and two and a half months – this is usually unprofitable for the attackers.
Second: Whenever a provider makes it possible, users should use what is known as two-factor authentication. With each registration process, for example, a numeric code is sent to the mobile phone via SMS, without which you cannot register. An attacker would therefore also have to have access to the mobile phone. Thirdly, the most important thing is not to use the same passwords for multiple services, as this greatly increases the risk of an attack and possible unpleasant consequences.
So it’s not all that difficult. One can only speculate as to why many people still do not follow these rules. It must be a mixture of laziness, carelessness and ignorance. And: In contrast to the analogue world, the digital world is abstract. Or would someone come up with the idea of leaving the windows and doors of their apartment wide open at all times?