Passwords
What should a secure password look like?
The most important properties of a secure password are length (number of characters) and complexity (number of character types: lowercase letters, uppercase letters, numbers, special characters). The BSI (German Federal Office for Information Security) recommends:
20–25 characters using two types of characters
8–12 characters using four types of characters
8 characters using three types of characters if 2FA is used
In addition, a password should not consist of mnemonic hints such as a child’s birth year, the name of a pet, or other words from a dictionary. However, it is possible to use 5–7 randomly chosen words separated by spaces, hyphens (-), or underscores (_).
Example:
Blueberry-Juice-Concentrate-Straight-Oligarchy-Fahrenheit
In the event that providers become victims of a data leak, different passwords should be used for each account.
How can I make my account even more secure? Should I change my password regularly?
It is no longer recommended to change your password regularly. It can lead to choosing simpler, easier-to-guess passwords. However, if a provider becomes a victim of a data leak, the password should be changed once. Changing the password also does no harm if it is found to be insecure or frequently reused.
Instead, it is more sensible to rely on 2FA or to completely eliminate passwords by using passkeys.
What is two-factor authentication (2FA) or multi-factor authentication (MFA)?
Authentication simply means that when logging in, you prove to the provider that the specified account actually belongs to you. This is done using the following authentication factors:
Possession (for example a code on your phone)
Knowledge (for example a PIN or password)
Biometrics (for example a fingerprint)
With 2FA, two of these factors are used. For example, a password is entered (knowledge) and a fingerprint is scanned (biometrics).
What is a passkey?
The term describes a way to authenticate without using a password. The device you use to log in stores a private key that corresponds to a public key held by the provider. Once passkey authentication is set up, a fingerprint scan can be used, for example. This covers at least two factors (in this case possession and biometrics). It is possible to create physical backups or synchronize keys with the cloud to be protected in case the key is lost.
Currently, not many services support passkeys.
How do I use passkeys?
To set up passkeys for login, you need an authenticator (attention: not to be confused with authenticator apps [reference to question about auth apps]). This can be a so-called hardware token, for example a FIDO2 key. In this case, you have a USB device that handles the generation and storage of passkeys.
Alternatively, software can be used. Which one is needed depends on the operating system being used. The Consumer Advice Center NRW has created a comparison:
|
Operating systems/ |
Authenticator module | Storage location | Backup | Synchronization between multiple devices? | Can it be used with systems from other manufacturers? |
|---|---|---|---|---|---|
| Apple | iCloud-Keychain | Cloud | iCloud-Keychain | yes | yes |
| Google (Android) | Google Password manager | Cloud | Google Password manager | yes | yes |
| Windows | TPM (secure hardware module of the device) | local | Backup via password as fallback solution or FIDO2 security key | no | yes |
Consumer Advice Center NRW, article from April 25, 2024, accessed May 28, 2025.
What can I do to remember passwords?
Passwords should not be written down unencrypted, either physically or digitally. It is recommended to use a password manager (for example KeePass, NordPass). This not only allows you to securely store passwords in encrypted form, but also alerts you to duplicate or insecure passwords. An integrated password generator is also available.
There are also various ways to make remembering individual passwords easier. For example, you can think of a long sentence and use the first letters of the words and punctuation marks as the password.
Example:
Netzmelden is an innovative platform of youthprotect e.V. dedicated to protecting and supporting young people in the digital space.
→ Niaipoye.V.dtpasypitds
Now you can replace some letters with numbers (for example e → 3, i → 1)
→ N1a1p0ye.V.dtpa5yp1ds.
What are authenticator apps and which ones exist?
Authenticator apps can be used to make your account even more secure. After entering your password, you open an app on your phone, for example, where a code is available for each registered provider. This code updates regularly. To set this up, you must first configure your account with the respective provider. You will receive a QR code to scan or a numeric code to enter.
This means you are not only relying on the knowledge factor (password) but also on the possession factor (phone). As a rule, the app also provides the option to create backups to ensure you are protected if the device is lost.
We recommend one of the following authenticator apps:
- Microsoft Authenticator
| + | - |
|---|---|
| No separate account required, but you can use your Microsoft account |
No support for wearables |
| Integrated password manager |
- Google Authenticator
| + | - |
|---|---|
| Supported by many providers | Backups are complicated |
|
No account required, but can manage multiple Google accounts |
Collects a large amount of data |
| Security questionable, vulnerabilities were discovered in 2020 | |
|
Very short codes |
- Stratum
| + | - |
|---|---|
| Can be used offline |
Only available for Android |
| Very simple backups | |
|
Does not collect data |
- Authy
| + | - |
|---|---|
| Supported by many providers |
Transferring tokens (codes received from providers) is complicated |
| Can also be used on PC | |
|
Can be used on multiple devices |
I can’t remember my passwords. What can I do?
In this case, using a password manager is recommended. All passwords you use can be stored there. They are protected with a master password and stored in encrypted form.
Browsers offer the option to store passwords. However, this feature should not be used, as passwords are often stored unencrypted or insecurely encrypted. In the worst case, malware or hackers can easily extract them.
We recommend one of the following password managers:
- Nordpass
| + | - |
|---|---|
| Easy to use |
No local backups |
|
Very secure |
Expensive, free version rather limited |
|
Android and iOS versions collect data |
- KeePass
| + | - |
|---|---|
| Free with very good features | Passwords are not checked for security |
| Synchronization across multiple password sources |
Difficult for beginners |
|
Supports security keys, passkeys, and 2FA
|
- Bitwarden
| + | - |
|---|---|
| Good free version |
Password sharing is insecure |
|
Easy to use |
- Proton Pass
