A false sense of security
By Alexander Koch, VP Sales EMEA, Yubico
Alexander Koch, VP Sales EMEA
The Bavarian State Ministry of Digital Affairs has set up a password check as a new function. The offer promises an examination of passwords in terms of their security and gives an assessment of how long it would take a hacker to crack the password. To do this, you enter your password on the website of the ministry and then receive an assessment. What feels like a well-intentioned training measure for password security immediately reveals the first wrong step: entering a password on a website and having it checked. Even if this is done under the protective cloak of a ministry, it conveys a sense of normalcy towards phishing methods, with the help of which users are to be trickily extracted from their access data. Note: Never share your password on the Internet, even at a supposedly secure official site.
However, the main problem of password checking lies in its outdated approach and the requirements that underlie the check – password guidelines. So the string, dictionary words, number series, etc. These guidelines have been considered insufficient for years and do not provide adequate protection on their own. In this context, a Bitkom study from February 18 this year is interesting in which 75 percent of the respondents stated that they should pay attention to the supposedly secure mix of characters and use strong passwords. However, the general handling of passwords is also striking – a still far too large number of 29 percent of respondents use the same or similar password for different services. The fact that cybercrime is also a serious danger for private individuals often seems to be forgotten.
The future does not lie in password checks or fancy combinations of address and date of birth, but away from passwords to multi-factor authentication and phishing-proof hardware security keys. By using these keys, the presence and proof of ownership of the user is required. These security keys use current security standards, can be used flexibly and are independent of a device battery. In this way, an attack by cybercriminals can be prevented. The Bavarian Password Check therefore shows us again that cybersecurity in the future will not have to do with particularly secure passwords, but without them altogether. Because only a login protected by multi-factor authentication and hardware security keys offers real security.