BSI Advisory Board warns against overly complex passwords and constant renewal

In its recommendations for action on password security, the Advisory Board also complains that device manufacturers often store standard passwords; Consumers then bear the risk of attack when they change the passwords. The end users are also the ones who get screwed when access IDs and other data are disclosed or stolen “due to a lack of security precautions on the part of the providers”. This could have enormous potential for damage, especially if the users “have adhered to strict password specifications and have used their password, which they thought was safe, for several services”.

2FA

At the same time, users “frequently use passwords that are still too weak,” the advisory board knows. Two-factor authentication (2FA) helps here. The second factor does not necessarily have to be a code transmitted via the SMS or e-mail transmission methods, which are themselves vulnerable; neutral apps such as Authy, FreeOTP or Google Authenticator help to achieve painless two-factor authentication (c’t 24/2018 p. 178).

2FA must be “accompanied by organizational measures”, such as limiting the maximum session duration or banning parallel sessions. It is also advisable to use a second device for the second factor: a mobile phone, for example, for a desktop application.

The experts point out that the term “two-factor authentication” is only known to 43 percent of all Internet users aged 16 and over without further explanation. SMS TANs and codes by e-mail are the most commonly used methods. Half of the 2FA experts would not be bothered if they could only choose the model used in order to be able to log in to a service with an additional query. Service providers should therefore offer different methods to choose from.

No reuse

Among the best practices, the Advisory Board lists the “first rule” that relevant identifiers should be “unique”. A different password should be used for each account. “Overly complex passwords” with a sequence of random characters “the length of which exceeds what is currently required by accepted rules”. It’s better to use longer passwords or multi-word phrases that are “easier to remember,” the guide says.

“The protection of access data is not a trivial task,” states the advisory board. In many action situations, consumers “struggled with a lack of attention and time”. It is important to recognize these challenges. The communication about passwords should therefore not overwhelm users. The writing down of identifiers “should not be presented as negative per se”. It would be better to provide consumers with information “on how to keep passwords safe on paper”.

Password managers help against phishing

According to the handout, “relying on technical support such as a password manager” seems to be “only a limited solution” for many people. With such a tool, you would often not be able to understand how the identifiers stored there would actually be protected. The authors counter these concerns by saying that there are “residual risks” with such instruments. Nevertheless, these should be weighed against greater dangers such as password reuse. In addition, many consumers do not know that password managers can protect against entering passwords on fake websites in phishing attacks.

In addition to security researchers and consumer advocates, the Digital Consumer Protection Advisory Board also includes representatives of think tanks, industry associations and civil society organizations such as the Chaos Computer Club (CCC). The BSI itself has published its own guide to creating secure passwords. In the period 2022/23, the Advisory Board will mainly deal with the controversial digital identities from the consumer perspective.