Should you note down passwords?

Passwords should never be saved unencrypted on your PC or, that old favourite, attached to your screen on a sticky note. If you do want to keep a note of your passwords, you should keep them strictly under lock and key or save them in an encrypted file on your computer.
If you have a large number of online accounts, we recommend a password manager program such as KeePass. As well as managing passwords, these programs can also generate strong versions of them (take note of the minimum recommendations we have made elsewhere when configuring your settings for generating passwords). Then you have to come up with and remember just one good master password.

How can we remember secure passwords?

There are useful tips to follow here too. A popular method is to think of a phrase and use just the first letter of each word. Then turn certain letters into numbers or special characters.

Here is an example: 'Every morning, I get up and brush my teeth for three minutes.' Just the first letters: 'EmIguabmtftm'. 'I' looks like '1' and if we replace 'and' with '&', we get: 'Em1gu&bmtf3m'.
So there you have it: we've created a good memory hook for remembering a password. Of course, there are lots of other tricks and methods that work just as well; for example, you could create a sequence of completely unrelated words. An example of this, which it goes without saying you should not actually use yourself, might be 'A blue horse is reading tea leaves on the pleasure boat'.

It is also advisable for the password user to have invented the phrase independently. If a user chooses a well-known literary quotation or a song lyric as a phrase that is easy to remember for their password, it is likely hackers could work this out via a dictionary attack.

Changing passwords

You must always change a password if there is any indication it may have fallen into the hands of unauthorised third parties. This may take the form of a service provider asking you directly to change the password or it may be in the news that the passwords for a particular service provider have been stolen and published online. A spam or phishing e-mail that uses your correct personal data might be another indication that someone has had access to your private account and got hold of your data.

If you detect that your device is infected with malware, that's another reason to change your passwords. Some malware variants record access data and send it on to third parties. To prevent this, you will first need to remove the infection from the device. Only once you have done that should you change your passwords and log in to your accounts on the affected device again.

Have I been affected by a security incident?

Often when cyber criminals get hold of access data, either from providers or from users directly, it is subsequently published online or offered for sale. These data sets then circulate around the Internet. The longer the access data contained in them is left unchanged, the more third parties can use it for their own ends. There are various websites available where you can check whether your personal access data is included in an exposed data set. The HPI Identity Leak Checker, for example, offers a German-language version, while haveibeenpwned.com is an international version.

The BSI cannot express a view on the quality or topicality of the data stored on these sites. When using such websites, always bear in mind that an e-mail address and password combined are often used to access accounts. These portals, however, usually only scan their database for the e-mail address. So a notification saying that the e-mail address has been found in the database can relate to any account accessed via that e-mail address: it is not possible to match it up to a specific account.

Do not re-use the same passwords

First of all, you should think about which of your passwords protect a particularly large amount of or especially sensitive personal data. The password for your private e-mail account, for example, is incredibly important. Not only will this account contain personal messages and contact details, but if someone gains access to it, they can reset lots of other passwords that you use for online services. Other examples of important passwords are those for your social media accounts, for online shops you use frequently or for other electronic identities you use regularly. These important passwords should always be unique and strong.

Many users come up with one password, then use it for multiple online accounts so they don't have to remember lots of different passwords. This approach is convenient, but not recommended, even if the chosen password meets the criteria stated above. Because if the password for just one single app falls into the wrong hands, the attacker then has free rein to access all the other accounts that have the same password. They can easily run automatic tests to find out where else this password is used.

Change preset passwords!

When lots of software products are installed (or delivered), they come with accounts where the password is either empty or well known. Hackers know this: when carrying out an attack, they will first check whether the user has forgotten to change the passwords for these accounts. It is therefore a good idea to read the relevant manuals to check whether such accounts exist and, if they do, to change the preset passwords.

Secure your screen saver with a password

Most common operating systems will give you the option to lock your screen and keyboard after a certain period of time. You must then enter a password correctly to unlock them. You should take advantage of this feature. If no password lock is set, unauthorised third parties can access a PC while its rightful user is temporarily elsewhere. Of course, if the lock takes effect very quickly, this can be irritating for the user. We recommend setting the screen saver, and therefore the lock, to activate after five minutes of no input from the user. There is also an option to activate the lock immediately if required. This is achieved via the Ctrl+Alt+Delete shortcut on some Windows operating systems.

Never send passwords

E-mails are usually sent unencrypted and can therefore be read by third parties as they make their way over the Internet. What's more, e-mails can also get lost in cyberspace or be filtered out. So the sender of an e-mail cannot be certain that their message really has reached the intended recipient. For these reasons, you should not send passwords via e-mail.

In addition, as a basic rule: if you send your passwords or disclose them to third parties, you lose control in a sense, as these third parties could then in theory use the corresponding services and change the information saved in those accounts. So you will have wasted your time coming up with a good password for nothing.