Passwords should protect your data from access by unauthorized persons. Not only reading protected data, but especially manipulating your data can put you in very unpleasant situations. This manual is intended to help you create secure passwords.
Guidelines for passwords for the kiz account
The identity management system which allows you to change the kiz account passwords for single or all subscribed services forces a minimum standard for passwords:
The password must have between 8 and 16 characters.
The password must not contain spaces.
The password must not contain the user name, your real name or your date of birth.
The password must contain three of the following four characteristics:
Capital letters (the first character does not count)
Lower case letters
Tips for good passwords
A password should be easy for humans to remember and difficult for computers to guess. How a good password should look like is a matter of debate and cannot be answered unambiguously. Thus, there are two prevailing opinions and recommendations on secure passwords. According to this, a secure password fulfils at least one of the following two criteria:
preferably complex: it should consist of characters from a very large character set (for example "nmEnL7m-d:[a")
preferably long: the character set hardly plays a role here, the main thing is that the password is very long (bspw "correcthorsebatterystaple")
More important than the actual composition of the password, however, is that it is really randomly chosen and, above all, is only used once. Computers are very good at recognizing patterns. A password that follows simple patterns or that reflects personal characteristics or preferences (e.g. "I ride a bicycle") can be guessed very easily by a computer. If the password is also used in several services at the same time, computers can also find out very quickly, and the damage caused is huge.
So ist beim Umgang mit Passwörtern vor allem folgendes zu beachten:
Passwörter sollen zufällig gewählt sein.
Passwörter sollten bei Verdacht der Kenntnisnahme Dritter geändert werden.
Passwörter dürfen nicht doppelt benutzt werden. Für jeden Dienst muss ein einzigartiges Passwort gewählt werden.
Passwörter sind privat und geheim. Sie dürfen niemals mit anderen geteilt werden.
Im Folgenden finden Sie weitere Informationen über die Gestaltung und den Umgang mit Passwörtern.
Secure password: BSI recommendations
BSI tips for passwords:
A sufficient number of characters. At least 8, but 12 are recommended.
The character set should be used sufficiently. Upper and lower case letters, numbers and special characters.
Numbers at the end of the password should be avoided.
No words from dictionaries, names of friends/families or stars whose date of birth should be used. Simple character substitutions (e.g. "1" for "i", "3" for "e" etc.) in words are not sufficient.
Do not use keyboard patterns ("qwertz", "asdf", "yaqxsw", etc).
Examples of good passwords:
Examples of bad passwords:
Pa$$w0rt:01/18 Word from the dictionary with simple substitutions, numbering and year.
Hund3hü77e#1 Word from the dictionary with simple substitutions and numbering.
It is difficult for many people to create a good and above all random password themselves. A computer usually creates better passwords. Password generators are a useful help in this respect. You can also generate pseudo-random passwords in large quantities automatically in a short time.
If generators are used, it is important to ensure that the generator itself is trustworthy. Especially when using online generators, make sure that the page does not contain any advertising, does not download any content from third parties (Google API, Google Analytics), does not contain any social media buttons (Facebook like etc), and TSL is encrypted (look for the green lock next to the address).
For Smartphone Apps please pay attention to the conditions. A password app that displays advertising and requires Internet access is not trustworthy under any circumstances.
Many password managers also bring generators with them. So passwords can be generated and managed easily (see Remembering and managing passwords).
BSI compliant passwords
pwgen for Linux (for example "sudo apt install pwgen")
How good a password is is actually difficult to check. The keyword here is the entropy of a password, in this context a measure of how many attempts it takes to guess a password. This is based solely on mathematical properties and usually ignores patterns in passwords and knowledge about the user. Professional attackers, however, take advantage of just such things. Unfortunately, we cannot recommend an online password meter/checker. All of them have privacy flaws and should not be used.
You should definitely check your password against a list of the most common passwords. If you find your password on such a list, it will be cracked faster than you can type it in (The 10,000 most common passwords).
Remember and manage passwords
For the normal user it is difficult to remember all passwords. Likewise, high demands on the many users are annoying. Passwords should therefore be stored or managed somewhere.
Saving in plain text on the computer or writing on notepads is of course not a suitable solution. Passwords must always be encrypted and stored securely from access by third parties.
The use of so-called password safes/managers, in which the access data is stored in encrypted form, can be a considerable relief if chosen appropriately and handled properly.
Password managers are available in many different versions and often differ significantly in their functional scope. Operating systems often come with a password manager (Mac keychain, Ubuntu Seahorse) and even the most common browsers have an integrated password manager ("Do you want to remember this password?").
Functionally, some password managers can create passwords
directly in form fields of the browser,
synchronize between devices,
generate according to definable quality characteristics
set an expiry date so that the need for a change is visually indicated.
If a tool is to be used to store passwords, the requirements described below must be observed:
It must not be possible to log in without entering a master password, e.g. the master password should not be "remembered".
After a specified period of inactivity, the logged-in user should be automatically logged out.
For encryption, a suitable encryption method with sufficient key length must be used.
Since access to the password safe itself must be very well secured, access with two-factor authentication should be possible.
The product should be trustworthy. Ideally, the source code should be freely available so that it can be examined by independent experts. Security relevant certifications are recommended. In particular, web-based password management services should only be used if the reliability of the service provider is in reasonable proportion to the protection requirements of the passwords managed with it.
Password managers may only be used on trustworthy IT systems.
The autofill function must be disabled, because scripts on websites can easily extract the stored access data from the password manager via hidden form fields and send them to remote servers, cf. .
Do not let them look over your shoulder when entering passwords. Pay attention to your surroundings.
Check your computer regularly for malware. If you suspect that your computer may have been tampered with, check whether so-called keyloggers have been installed. These are small devices that are usually placed between the keyboard and the computer or in a USB port and record keystrokes.
Where to register
You should only enter your access data on trustworthy devices, never on public, uncontrollable systems such as Internet cafés or hotel lobbies.
To ensure that authentication information cannot be eavesdropped during entry or transmission to the target system, care must be taken to ensure secure transmission.
Public WLAN networks in particular carry the risk that attackers will eavesdrop on network traffic. Attackers could also use WLAN networks they have created themselves to misdirect users and record and manipulate their data ("man-in-the-middle attack"). Therefore, only enter your user data in trusted network environments.
For web services the login must always be encrypted. This is indicated by a closed lock and the prefix "https://" in the address line of the browser. When entering the address, also pay attention to spelling mistakes. Attackers often use addresses with typical spelling mistakes to spy on users (e.g. yuotube.com).
Ending a session
Even the best passwords are useless if computers are left carelessly and running sessions are left open unprotected.
End your session (logout) after you have finished your work. If you leave your computer / workstation, lock it, even if it is only a short absence. The lock should be set so that unlocking requires the entry of the password.
Some websites work with session cookies that have a certain runtime in which you remain logged in. If you are unable to log out on a website, you must close the browser completely to end the session and effectively log out.
Help I was hacked
If you feel that you have been "hacked", for example because unknown mails have been written from your account, or if someone has learned your password, you should change your password in any case.
Online services are subject to permanent attacks and it happens again and again that sensitive information such as names and passwords of user accounts are tricked. Such lists are then offered for sale on Darknet. You can check if they are on such a list.