Is there such a thing as a perfectly secure password?
An interview to mark World Password Day 2017 Just to get this straight from the outset: There is no such thing as total security, and picking a strong password is not the end of the story in todayâs interconnected world. However, there is a lot more that people can do to ensure the best-possible security for their mail communication and data. We spoke to our cryptography- and information security expert Karsten Ness about how to chose a good password and what other measures users can take to improve security around their account. Hi Karsten, thanks for taking the time to talk to us. Can you tell me what the requirements are for choosing a password at mailbox.org, and what you think makes a good password? If somebody creates a new account at mailbox.org or changes their password, there are already a number of minimum requirements that will be enforced through the web interface. The system will accept a password only if it is at least six characters long, does not appear in a dictionary, and uses a mix of lower- and upper-case letters, as well as numbers. But these are just the basics that anyone should pay attention to when choosing a password. In my opinion, a good password is made up of at least 12 characters, and in addition to the mix of letters and numbers mentioned above, I would also recommend adding some special characters, such as the asterisk or dollar sign, for example. Doing this makes it a lot harder for any potential attacker to find out the password by chance. I should also mention that there are critical voices about mechanisms that enforce a reasonably complex password to be chosen. There are some studies out there that claim imposing strict requirements actually results in bad passwords to be picked by the users; and suggest a more liberal approach may be better. However, such claims are not really consistent with our practical experience. We are convinced that for the vast majority of ordinary users, the requirements set by mailbox.org do actually increase password security overall. If the various sources on the Web can be believed, the average user has to handle up to nine different passwords at the same time. How can a single person remember so much information, especially if these are all âgoodâ passwords? All security experts agree that using the same password for different accounts is a very bad idea. There are different opinions about how to sensibly manage a large number of complex passwords, though. Here are two suggestions: Using a password pattern Some security experts recommend using a shared pattern for different passwords, where the pattern itself is easy to remember. Such a password would consist of a fixed, invariant part that is the same for all accounts, and a variable part that can be easily derived from the kind of service or product that the account is for. Just to give you a simple example: Letâs say the fixed part of your pattern is âTp1etr.â (âThis-password-1s-easy-to-remember.