This documentation provides advice about secure passwords. It covers known problems with passwords and elaborates various solutions for secure password creation and usage. The issue "bad passwords" is the number 1 vulnerability in the Internet-of-Things (IoT).
Problems with Passwords
There are several more or less widely known bad habits regarding passwords.
The Password Quality
Personal information is used to create passwords which is a popular target for social engineering (names, dates, etc.). Often standard passwords like "123456" or "password" are used. Actually, "123456" has been the most used password for the last years . The re-use of passwords is one of the main challenges: many users use the same password for various accounts. It should be obvious that it is not a good idea to use the same password for online banking and for an Adobe account.
There are 3 general aspects to good passwords: the length plays a main role, the password must not be trivial, and the password must be easily memorized. Leet speak (i.e. replacing certain letters with associated numbers, e.g. "p455w0rd") is not a good idea because meanwhile all password crackers know leet speak.
Good Password Checklist
- Minimum length of 12 characters
- Contains lower & upper case letters, digits, and special characters
- As random as possible
- Easy to remember
How to Create a Good Password
- Think about your favorite lines of a song, poem, or movie, etc. Take the first letters and special characters to create your password.
Here's an example:
Are you lonesome tonight? Do you miss me tonight? Are you sorry we drifted apart?
The resulting password might be: Ayl2n?Dymm2n?Ayswda?
- Think about approx. 4 different words which make sense for you but in general, the combination does not make any sense at all. Meaningful sentences are no good passwords.
Here's an example:
Concrete Ocean Mouse Egg
You'll have to add a special character and a digit. The resulting password might be: ConcreteOcean4MouseEgg!
Further Advice for a Secure Password Usage
The use of a password manager solves the problem to remember numerous different passwords for various accounts. You have one file containing all your passwords which is secured by one strong password. Our recommended password managers are open source, free of charge, and platform-independent.
Recommended password managers:
Two-Factor Authentication requires a second authentication method besides the password, e.g. Google Authenticator  which provides a 6-digit code for each login. A second authentication factor might also be a biometric factor (e.g. fingerprint). You also might use a crypto token (e.g. a Yubico key ).
- Workshops (2017, 2018, 2019, 2020)
-  https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf
-  https://metro.co.uk/2019/12/19/10-worst-passwords-2019-revealed-nothing-changed-11932281/
-  https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=de_AT
-  https://www.yubico.com/authentication-standards/fido-u2f/