Ask the Expert: Secure passwords

Notice board with lots of notes tacked up including one with a password
What password security mistakes can you spot in this picture?
Welcome to our first ever “Ask the Expert” post! We’re joined by our email security expert Arne for a deep dive into the topic of passwords and online security. In an interview, he shares some do’s and don’ts about passwords and clears up some common misconceptions.
mail.com blog: Arne, you’ve been in the field a while now, so you’ve probably seen some evolution of password standards. Has much changed?
 
Arne: Actually, there haven’t been all that many changes. Among IT security experts, the standard for truly secure passwords has remained fundamentally the same. We’ve always had one golden rule: The longer the password, the more secure it is!
 
mail.com blog: And for users? Are there practices that are no longer up to date?
 
Arne: There have been some changes for users. In the past, the recommend length of a password was often eight characters or more, consisting of a seemingly random series of upper- and lowercase letters, numbers and special characters. I would no longer recommend this to anyone. Eight characters is simply too short and no longer secure by today’s standards. Twelve characters or more is much better!
 
Blog: Can you give us an example of a password that’s not that secure?
 
Arne: Sure. A widespread practice was to take a normal word and replace certain letters. For example, “password” would become “P@ssw0rt”. This resulted in an extremely unsafe password, because such minor changes are very easy to crack using a password-guessing algorithm.
 
mail.com blog: And should people change their passwords regularly?
 
Arne: There used to be a sort of general recommendation to change your password at regular intervals. This is now considered outdated, because such periodic changes only have a limited effect on password security but can increase the risk of forgetting your password.
 
That said, if you’ve had your password for a very long time and use the same password for a lot of different logins, I would still suggest that you come up with a new one and change it once now.
 
mail.com blog: So what recommendations still apply?
 
Arne: As I already mentioned, the most important thing is to make your password as long as possible. Every additional character significantly increases the security of a password. So this is the most important rule of thumb.
 
mail.com blog: When people ask you, what suggestions do you have for coming up with a strong password?
 
Arne: I like to recommend the sentence- or word-combination method. I find this to be a really good way to create very long password that is still easy to remember.  An example would be “My-favorite-food-is-pizza.” Or you could simply create a chain of three or four unrelated words: “Desk-bicycle-backpack-vegetables.” Passwords like this are easy to recall – but thanks to their length, they’re very hard to crack.

mail.com blog: Thanks for those examples –­ they really show what you mean by a secure password. And since there are dashes between all the words, they even meet the requirement for special characters!
 
Arne: That’s right – they have everything a password needs. But you still shouldn’t make the mistake of using the same password for multiple accounts. Email accounts in particular should always be protected with their own strong password.
 
mail.com blog: You mean because you use your email address for so many different purposes?
 
Arne: Exactly. Your email address is your most important way of identifying yourself on the internet. You use it to log in to any number of online shops, social media platforms and other websites. So if anyone gains unauthorized access to your email inbox, they also get access to many other online services. That’s why it’s really important to give your email account maximum protection with a unique, extremely secure password!
 
mail.com blog: Ok, it makes sense that we should use different passwords. But then how do we remember all of them? Any helpful hints?
 
Arne: Of course it can be a challenge with a lot of passwords. Personally, I always take a sentence or a series of words and only change one part of it. For example:
 
  • “Desk-bicycle-mailbox-news” for my email account
  • “Desk-bicycle-friends-conversations" for my social media account
 
As you can see, the last two words in the series always have to do with the site I use the password for. So it’s easy for me to remember.
 
mail.com blog: Do different standards for passwords apply depending on what I’m using them for? For example, can I hide a sticky note with my passwords under my keyboard at home – which of course I would never do in the office?
 
Arne: Generally speaking, the same standards apply for all systems. Your goal should always be to create a password that’s as strong as possible. However, there are certain differences. In the office, for instance, there are often very specific password rules defined by the company. And of course everyone should comply with those.
 
At home, anyone who has a hard time remembering their passwords can write them down and keep them in a safe place. There’s no way a hacker can see that piece of paper hidden under your keyboard! However, my recommendation here would be to write down a hint or a prompt rather than the password itself. And if you use the sentence method to create a password like “My-favorite-food-is-pizza,” you can write “What I like to eat” on your sticky note – that should be enough to recall the password.
 
mail.com blog: What about saving passwords on my smartphone?
 
Arne: I would strongly discourage people from saving passwords in their smartphone’s address book. A lot of apps can access the data in your contacts and may transmit this data to the app’s server. That means you no longer have any control over where your password may be stored in plain text.
 
mail.com blog: Are there any good alternatives?
 
Arne: If you’d like to make a digital note of your passwords instead of using a piece of paper, I would recommend using a password manager. Nowadays a lot of browsers and smartphone operating systems already have integrated password managers. The important point here is that the password manager itself should be protected with a very strong password, like a long sentence. Or you should make sure that your smartphone is protected with a PIN.
 
mail.com blog: Last but not least, are there really still users who choose extremely weak passwords like “Passwort123” or “111111”?
 
Arne: The answer is unfortunately yes – there are still users who are very careless with their passwords. And simple passwords like the ones you mentioned offer practically no protection at all.
 
mail.com blog: Thanks for taking the time to talk to us, Arne!
 
About our expert:
Arne Allisat has been working in email security at our company for six years now.  As Head of Mail Application Security at 1&1 Mail & Media, his focus is on the security of email accounts. He and his team spearhead the fight against spam and other potential security risks. Ongoing professional development and regular dialog with other IT security experts are all in a day's work for Arne.
 
Did this interview help answer your questions about safe passwords? We look forward to your feedback below!

Image: 1&1/Shutterstock
 

27 people found this article helpful.

Related articles

The best password managers

What can I do if I have a problem with 2FA?

Checklist: your personal mail.com settings