Ask the Expert: Secure passwords

Notice board with lots of notes tacked up including one with a password
What password security mistakes can you spot in this picture?
Welcome to our first ever “Ask the Expert” post! We’re joined by our email security expert Arne for a deep dive into the topic of passwords and online security. In an interview, he shares some do’s and don’ts about passwords and clears up some common misconceptions. blog: Arne, you’ve been in the field a while now, so you’ve probably seen some evolution of password standards. Has much changed?
Arne: Actually, there haven’t been all that many changes. Among IT security experts, the standard for truly secure passwords has remained fundamentally the same. We’ve always had one golden rule: The longer the password, the more secure it is! blog: And for users? Are there practices that are no longer up to date?
Arne: There have been some changes for users. In the past, the recommend length of a password was often eight characters or more, consisting of a seemingly random series of upper- and lowercase letters, numbers and special characters. I would no longer recommend this to anyone. Eight characters is simply too short and no longer secure by today’s standards. Twelve characters or more is much better!
Blog: Can you give us an example of a password that’s not that secure?
Arne: Sure. A widespread practice was to take a normal word and replace certain letters. For example, “password” would become “P@ssw0rt”. This resulted in an extremely unsafe password, because such minor changes are very easy to crack using a password-guessing algorithm. blog: And should people change their passwords regularly?
Arne: There used to be a sort of general recommendation to change your password at regular intervals. This is now considered outdated, because such periodic changes only have a limited effect on password security but can increase the risk of forgetting your password.
That said, if you’ve had your password for a very long time and use the same password for a lot of different logins, I would still suggest that you come up with a new one and change it once now. blog: So what recommendations still apply?
Arne: As I already mentioned, the most important thing is to make your password as long as possible. Every additional character significantly increases the security of a password. So this is the most important rule of thumb. blog: When people ask you, what suggestions do you have for coming up with a strong password?
Arne: I like to recommend the sentence- or word-combination method. I find this to be a really good way to create very long password that is still easy to remember.  An example would be “My-favorite-food-is-pizza.” Or you could simply create a chain of three or four unrelated words: “Desk-bicycle-backpack-vegetables.” Passwords like this are easy to recall – but thanks to their length, they’re very hard to crack. blog: Thanks for those examples –­ they really show what you mean by a secure password. And since there are dashes between all the words, they even meet the requirement for special characters!
Arne: That’s right – they have everything a password needs. But you still shouldn’t make the mistake of using the same password for multiple accounts. Email accounts in particular should always be protected with their own strong password. blog: You mean because you use your email address for so many different purposes?
Arne: Exactly. Your email address is your most important way of identifying yourself on the internet. You use it to log in to any number of online shops, social media platforms and other websites. So if anyone gains unauthorized access to your email inbox, they also get access to many other online services. That’s why it’s really important to give your email account maximum protection with a unique, extremely secure password! blog: Ok, it makes sense that we should use different passwords. But then how do we remember all of them? Any helpful hints?
Arne: Of course it can be a challenge with a lot of passwords. Personally, I always take a sentence or a series of words and only change one part of it. For example:
  • “Desk-bicycle-mailbox-news” for my email account
  • “Desk-bicycle-friends-conversations" for my social media account
As you can see, the last two words in the series always have to do with the site I use the password for. So it’s easy for me to remember. blog: Do different standards for passwords apply depending on what I’m using them for? For example, can I hide a sticky note with my passwords under my keyboard at home – which of course I would never do in the office?
Arne: Generally speaking, the same standards apply for all systems. Your goal should always be to create a password that’s as strong as possible. However, there are certain differences. In the office, for instance, there are often very specific password rules defined by the company. And of course everyone should comply with those.
At home, anyone who has a hard time remembering their passwords can write them down and keep them in a safe place. There’s no way a hacker can see that piece of paper hidden under your keyboard! However, my recommendation here would be to write down a hint or a prompt rather than the password itself. And if you use the sentence method to create a password like “My-favorite-food-is-pizza,” you can write “What I like to eat” on your sticky note – that should be enough to recall the password. blog: What about saving passwords on my smartphone?
Arne: I would strongly discourage people from saving passwords in their smartphone’s address book. A lot of apps can access the data in your contacts and may transmit this data to the app’s server. That means you no longer have any control over where your password may be stored in plain text. blog: Are there any good alternatives?
Arne: If you’d like to make a digital note of your passwords instead of using a piece of paper, I would recommend using a password manager. Nowadays a lot of browsers and smartphone operating systems already have integrated password managers. The important point here is that the password manager itself should be protected with a very strong password, like a long sentence. Or you should make sure that your smartphone is protected with a PIN. blog: Last but not least, are there really still users who choose extremely weak passwords like “Passwort123” or “111111”?
Arne: The answer is unfortunately yes – there are still users who are very careless with their passwords. And simple passwords like the ones you mentioned offer practically no protection at all. blog: Thanks for taking the time to talk to us, Arne!
About our expert:
Arne Allisat has been working in email security at our company for six years now.  As Head of Mail Application Security at 1&1 Mail & Media, his focus is on the security of email accounts. He and his team spearhead the fight against spam and other potential security risks. Ongoing professional development and regular dialog with other IT security experts are all in a day's work for Arne.
Did this interview help answer your questions about safe passwords? We look forward to your feedback below!

Image: 1&1/Shutterstock

22 people found this article helpful.

Related articles

Checklist: your personal settings

Man typing on computer keyboard with word "Password?" appearing over his head
Forgot your password? Saved contact information speeds up the password recovery process
Is your email account as secure as it can be? You can help keep things safe through your personal settings. The personal data associated with your account can be found on the Home page of your mailbox under "My Account." This is where you go to enter a cell phone number so you can quickly recover your password. Or change your password if you think the old one is no longer secure. But there are a few more things you can do to boost the security of your email. Let’s take a look – we promise, it will only take a few minutes, and it could save you a lot of trouble down the road. more

Posted in

Inbox Security Password
51 people found this article helpful.

2FA? OTP? Why do I need an app for that?

One hand holding smartphone while other hand types on laptop keyboard
The authenicator app on your smartphone generates a one-time code for the 2FA login

Two-factor authentication (2FA) is about boosting your inbox security by adding a second verification step to your email login process. And this second factor is a six-digit security code that you not only use to activate two-factor authentication, but also to log in once 2FA has been set up. This security code is also called an “OTP,” and it’s generated by an app that you install on your smartphone.


Posted in

App Password Security 2FA
18 people found this article helpful.

How secure is my password?

Metal lock on laptop keyboard
A strong password is like a lock protecting your email account
“Better safe than sorry” may be an old saying, but when it comes to your email password, it definitely still holds true. Because if an unauthorized person gains access to your email account, it can have serious consequences. more

Posted in

Security Password
19 people found this article helpful.

Why does want my address?

Female customer support agent wearing headset and talking to customer
If you contact customer support, your address is one way to verify your identity
When you signed up for your account, you might have asked yourself why we asked for your postal address. Are they going to send me advertising by snail mail? Give my address to third parties? Of course not! There’s a simple explanation, and it has to do with security. Hopefully this post will clear up the mystery of what we use your contact information for – and why you shouldn’t simply enter a fake address. more

Posted in

Security Password
21 people found this article helpful.

What is ransomware?

Red-on-black image of locked computer screen against a background of binary code
Do you know how to recognize and protect yourself against ransomware?
You may have seen headlines about ransomware attacks on institutions ranging from banks to hospitals to gas-pipelines. But what is ransomware, why is it dangerous, and can such attacks be prevented? Today, we answer your questions about ransomware. more
7 people found this article helpful.

How do I know if my email has been hacked?

Person wearing hoodie types on laptop while looking at screen with the words Hacker Attack

What happens if your email has been hacked?

How do you know if your email has been hacked or comprised? And if it happens, how can you block cybercriminals and regain control of your account? Discover the most common signs of a hacker attack and what to do about them. more

Posted in

Email Inbox Security
33 people found this article helpful.

Phishing emails: How to protect yourself

Image of fishhook hooking an @ symbol above a white computer keyboard

Be on the alert for phishing scams that aim to hook your personal information

You have probably heard about phishing scams – fraudulent emails designed to rob you of sensitive data. Because phishing is one of the most widespread forms of cybercrime, it’s important to learn how to recognize these scams so you don’t get caught in the net. more

Posted in

Phishing Security Spam
35 people found this article helpful.

How do I recover my password?

It is super-frustrating to forget a password. Especially to your email account: Suddenly you are cut off from all your important emails, and often your contacts, calendar and online storage as well. Today we’ll share everything you need to know about the password recovery process so you can get back into your mailbox as quickly as possible. more

Posted in

Password How-to
21 people found this article helpful.

How do I know it’s spam?

Man viewed from behind looking at email icons in air
Not sure which emails are spam? Our checklist can help.

Spam is one of the things people like least about email. Sometimes it is annoying but harmless – like  bulk advertising. Much worse are the spam emails that try to trick you into scams or contain computer viruses. Luckily, today’s spam blockers keep a large share of such messages from reaching your inbox. You can also help keep yourself safe by learning to identify the most common types of spam. more
34 people found this article helpful.

Five bad email habits and how to break them

Woman looking at laptop with surprised expression on face
To avoid unpleasant surprises, break your “Reply all” habit

We all spend a lot of time writing and replying to emails. So it’s not surprising that we sometimes cut corners or become careless. But a lot of the times we shoot ourselves in the foot with bad habits that  ignore security concerns, annoy our correspondents or result in unprofessional emails. Here are five of the most common email faux pas. If you are not prone to any of them, congratulations! But if you recognize yourself anywhere here, we have a few pointers to help you become a better (email) citizen.

33 people found this article helpful.