A good password is as long as possible, contains capital letters and special characters, and should be changed at regular intervals – such advice can be found on numerous websites.
Many of these recommendations are bad, says Anna Lena Fehlhaber. She works as a lecturer for “Human Factors in Cybersecurity” at Leibniz University in Hanover and researches the topic of “Security on the Internet”.
Fehlhaber regularly helps authorities with cyber security problems and regularly reports security gaps to companies such as Microsoft, Samsung, and Apple.
She knows that there is no such thing as 100% security on the Internet. But she also knows that consumers can do a lot to protect themselves. Especially when it comes to their login data for various services.
“What seems complicated to us is easy to crack for PCs”
“A secure password is a pseudo-random password,” says Fehlhaber in an interview with CHIP. A password that nobody created. People think in patterns. And such patterns can be easily deciphered by computers.
“What seems complicated to us is easy to crack for PCs,” she says. It also doesn’t help to use particularly long passwords and to replace letters like “E” with the euro sign. Computer systems see through this quickly.
But there are more misconceptions about passwords. “For example, you should change them regularly. Some companies even force their employees to change their passwords every month,” says Fehlhaber.
“This leads to people using unsafe practices. For example, you simply count up, then Klaus1# becomes Klaus2#.” According to the researcher, such a procedure makes passwords less secure than more secure.
“It’s better to use a pseudo-random password and change it when data leaks become known or you haven’t handled the password securely yourself,” says the researcher.
The system for people who don’t want to use a password manager
For example, users have passed it on to the wrong place. That happens quite often. Because people not only have trouble dealing with passwords securely but also with the genesis of good passwords, Fehlhaber recommends using a password manager.
This is a program that helps manage login credentials and creates pseudo-random passwords. Password managers are protected by so-called “master passwords”. If someone cracks the “master password”, not all accesses can still be viewed.
“That’s usually not possible. To do this, you would have to have access to the entire PC or mobile phone on which the manager is installed,” says Fehlhaber. If you don’t want to use a password manager, you can proceed differently.
“I would suggest a 3-category system,” says the lecturer. The concept she describes comes from research into human-computer interaction. She thinks it’s very practical.
“Category 1 is unimportant accounts, i.e. those that would not be a problem if you lost access to them. A simple, always the same password is sufficient here, for example, ‘Sphinx’.”
With a 3-category system, users only have to remember a few passwords
According to the researcher, the second category includes important accounts, such as social media profiles or access to online shops. “The best thing to do is to generate a pseudo-random password and then use that for all of these accounts,” she says.
“Category 3 includes very important accounts, such as email or Google accounts. Here it is worth having a separate, pseudo-random password generated for each account and – if possible – activating 2-factor authentication.” With this scheme, users only have to remember around 5 passwords and are relatively safe on the go.
Fehlhaber also talks about the general surfing behavior. Especially about cookies. These are data records that are collected via the browser when you visit a website and stored on the end device.
This means that users do not have to log in to online services again if they switch their PC off and on again. The shopping cart in online shops also remains the same.
“That cookies are dangerous is only partly true”
The information that cookies collect about Internet users – for example, their IP addresses or the length of time they visit individual websites – can also be used for advertising purposes. In the past, many consumers didn’t care.
In 2020, a Forsa survey commissioned by Teambank revealed that 60 percent of Germans accept cookies when surfing the Internet without having read the exact provisions beforehand. With younger Internet users it was even 73 percent.
Consumer advocates repeatedly point out that the regulations should be read carefully and, above all, that third-party tracking cookies should be rejected. For security researcher Fehlhaber, however, there are a few important points to consider.
“That the datasets are dangerous is only partly true,” she says. “Cookies were ‘invented’ in 1994, around 30 years ago. Nowadays they are no longer the big problem. Much worse is the so-called canvas fingerprinting.” These are special techniques that allow Internet users to be uniquely identified.
“Canvas fingerprinting can do much more than cookies”
For example, the display of individual characters or emojis can be used to find out which operating system a consumer is using. The security status of the browser can also be queried. “Canvas fingerprinting can do a lot more than cookies and has been replacing them since 2014. It’s also much harder to limit,” says Fehlhaber.
This is an open-source browser for the operating systems Windows, macOS, Linux, Android, and Apple iOS. It is intended to offer particular security when surfing the web and to protect the privacy of its users by not leaving any traces in the form of cookies or in the cache locally on the PC or mobile phone.
If you don’t want to switch to a new browser, you have another option. According to Fehlhaber, extensions can also be installed in Firefox that limit user tracking.