Times are also changing when it comes to security. A security tip that was often mentioned in the past often has the opposite effect in practice. The BSI expressly warns against this.
The so-called “Change Your Password Day” on February 1st is intended to remind people to renew passwords regularly. But this safety tip is no longer valid. The BSI also warns against blanket password changes, saying that this is no longer an appropriate protective measure.
The reason is that we have often seen in practice what negative effects this tip can have. Many companies have password changes on their list as a regular measure. For example, you have to change your Outlook password once a month.
However, this often leads to users increasingly resorting to weak, easily predictable passwords, for example password_01 becomes password_02 in February and then password_03 in March.
Other password rules are more important
Karin Wilhelm, consumer protection expert at the BSI explains:
“Most people have numerous user accounts – for example in online shops, social networks and email providers. Many of these accounts contain sensitive data such as real names, addresses or credit card information. It is therefore important to protect them from unauthorized access. However, a routine password change does not automatically increase security.”
Instead, the following points are more important when protecting passwords:
- Password should be strong and unique.
- It should also be supplemented with a second factor or replaced with a passkey.
Uniqueness here means that a separate password is chosen for each user account. If a password falls into someone else’s hands, for example as part of a data leak or phishing attack, several of the person’s user accounts are not affected.
The most important tool for password management are Password manager. They help you keep track of things. However, even a complex password does not offer 100% protection. The BSI therefore recommends activating two-factor authentication (2FA).
In addition to the password, users also enter a code that is used when logging in via a pre-installed code Authenticator App is sent to your smartphone. This additional layer of security makes it much more difficult for attackers to gain access to accounts, even if they know the password.
One modern alternative to classic passwords also offer passkeys. The method, based on cryptographic procedures, enables secure, often biometrically supported authentication without a password.
The change your password tag should no longer be taken literally to adjust passwords across the board. But you can still do it take this as an opportunity to check your own passwords. Many password managers do this automatically.
For example, insecure passwords are highlighted, as are password doublers or information contained in any data leaks. So if you want to do something about your password security, you can have the password manager search for weak passwords once a year and change them or replace them with passkeys.
However, simply changing a secure password does not provide any security gain.
About the Author
