It can sometimes be hard to make a choice. And it is definitely true that lots of Internet users find it difficult to choose the right passwords. So it's not a huge surprise that poorly chosen passwords like '123456' or 'qwert' are right at the top of the list of incredibly common IT security shortcomings. And even those who do make the effort to use a more complex password will often recycle that same password for lots of different programs or accounts.

How secure is my password?

Hackers have fully automatic tools that can do a range of things. They can try out all possible character combinations; test all the words in a dictionary, including words commonly found together, with numbers added to the start or end; or try use access data that has been published on the Internet to log in to all available online services. To stop such attempts being successful, a password should meet certain quality requirements and only ever be used for one account.

What's more, passwords are not only used to protect confidential data. For example, it has become standard that we can create an online account with a huge range of providers. To log in to these accounts, you need a password. But what might happen if someone logs in under your name? Would you want strangers sending e-mails posing as you or bidding for expensive items in online auctions?

Follow the recommendations outlined below on how to create and handle passwords — and you will improve your data and account security just like that.

Password check: Tips for a good password

• There is no limit to your imagination when it comes to choosing a password. The important thing is that you can remember the password easily. There are various helpful strategies you can call on here. One is to memorise a phrase and use just the first (or second, or last) letter of each word. You could also then turn certain letters into numbers or special characters. Another method is to use a whole sentence as your password or put together a sequence of unrelated words, connected by special characters. Yet another option is to choose five or six words from a dictionary at random, then separate them with spaces. The result is a password that is easy to remember, easy to type and hard for attackers to crack.
• As a basic rule: the longer, the better. A good password should be at least eight characters long.
  Where encryption methods for WLAN such as WPA2 or WPA3 are concerned, the password should be at least 20 characters long, for example. 'Offline attacks' are possible in this case, which do not require an up-and-running network connection to work.
• You can usually use all available characters in a password, e.g. upper-case and lower-case letters, numbers and special characters (spaces, ?!%+ etc.). Some online service providers set out technical specifications for which characters you can or must use. If your system permits umlauts, bear in mind that, if you travel abroad, it may not be possible to enter these characters on other national keyboards.
• Names of family members, pets, best friends, favourite celebrities or dates of birth and so on are not suitable passwords. The full password should not be a word that appears in the dictionary wherever possible. Nor should it consist of common sequences of characters, repeated sequences or keyboard patterns such as 'asdfgh' or '1234abcd'. Some providers check passwords against a blacklist of unsuitable passwords just like these. If you try to use a password that is on the list, you will receive a notification that the password is not permitted in that form or is not secure.
• It is not recommended to add single numbers to the end of a password or one of the usual special characters $ ! ? # to the start or end of an otherwise simple password.
• Use a password manager to make it easy for you to manage all your different passwords and create a strong password to protect them all. This way, you only have to remember one secure password, yet can still use different, strong passwords for all your accounts.

Length and complexity: Two crucial characteristics

A strong password can be 'short and complex' or 'long and less complex'. But how long and how complex should it be as a minimum? Use the examples below as a guide.
A password is secure if, for example:

• It is 20 to 25 characters long and uses two types of character (e.g. a sequence of words). This kind of password is long and less complex.
• It is eight to 12 characters long and uses four types of character. This kind of password is short and complex.
• It is eight characters long, uses three types of character and is also protected by multi-factor authentication (e.g. in the form of a fingerprint, verification via app or a PIN). This is the recommended method, generally speaking.

You will find more tips in our fact sheet on secure passwords — its handy A4 format means it will fit on any notice board: download the fact sheet here.

Two-factor authentication for increased security

Lots of online service providers now offer an account login method that allows the user to identify themselves with a second factor in addition to entering their password. Two-factor authentication is available in a number of versions that range from sending a unique code via text message to using a hardware-based TAN generator. Hardware-based techniques offer the highest level of security and should be used in addition to a strong password where possible.