Recommendations for handling passwords (for DP coordinators)

The question of how to deal with passwords is also, but by no means exclusively, a technical question about the length and complexity of passwords. In particular, the handling of passwords is a question of so-called “user awareness”. If the user recognises the value of the services and data protected by user ID and password, he or she will be more willing to choose sensible and secure passwords out of self-interest. In addition to the guideline for the creation of passwords reproduced on the web page “Change Password” (which is based on the “Guideline for Passwords of the Central User ID of the Gauss IT Centre” and is also observed in our password generator), the Gauss IT Centre has created a **FAQ article no. 1000795** on the selection of secure passwords and gives some suggestions on possible methods of password selection, as they are also published in similar form in other places (e.g. BSI). The following aspects should be emphasised to users by DP coordinators and can also be understood as food for thought in general:

People tend to follow patterns. Similar services/websites will lead to users reusing passwords for similar offers if the user perceives the password as an obstacle rather than a protection of their data and identity. Exceptions – as research also shows – are made when the user has recognised a special value in an offer for him or the compromise means a special harm for the user. (It can be assumed that users can remember the login data of their online banking because the bank account represents a special value for the user).

It is therefore the task of all of us to make our users

to point out the special value of your user ID(s) at the TU Braunschweig (centrally and in institutes/institutions) and

to work out the possible damage that can be caused to the user and the TU in case of a compromise.

It is human nature that users orientate themselves towards the minimum password length especially when the password is perceived as an obstacle rather than a protection. With this in mind, we should therefore promote the use of longer passwords more strongly.

The longer a password is, the more it protects against “brute force” attacks in which passwords are systematically tried out over a longer period of time. It is therefore important that systems offered to the Internet in particular are configured to counteract “brute force” attacks (e.g. by setting a maximum number of unsuccessful attempts or slowing down re-entry after repeated unsuccessful attempts). Since not every system supports such configurations and due to the decentralisation and heterogeneity of the IT offerings, it will be difficult to implement a uniformly high level here. It is therefore all the more important to convince our users of a preference for longer passwords.

Since it is not always possible for everyone to assess how good a password really is, one should not adhere to the maximum validity period specified by the system and should therefore, if possible, change passwords earlier than specified by the system.

If our users do not already have to remember a large number of passwords due to the use of various systems/websites/devices etc., IT administrators in particular will have to remember a larger number of passwords. It is good if more than two administrators know all the relevant passwords and at least two of them are always present. Forgetting important system passwords can jeopardise the entire operation of IT systems. Not only can work and access no longer take place, but service interruptions are almost always necessary to reset passwords – if possible. Therefore, a sensible “password storage strategy” needs to be well considered by both users and administrators of IT systems. The risk of lost passwords must be examined in particular in relation to the number of required passwords and their growth rate, their necessary complexity and length, the frequency of desired change rhythms, the importance especially in terms of number of users and systems, the possibility and effort of being able to reset passwords.

To better illustrate the need for secure passwords to the user, password checkers can be used that do not rate the quality of a password in the categories good-medium-bad. Example sites for such password checkers are or Both sites rate an entered password in the unit [time], so that it is easier for the user to put the quality of the password into perspective. In principle, the evaluation of passwords on the basis of examples that users without extensive IT experience can deal with in terms of content is considered more sensible than, in particular, the evaluation of “password security” on the basis of key lengths in bits or superficial evaluations without a reference system (weak, medium, strong). Another password generator is

Conceivable storage options to be considered under the aforementioned consideration are in particular

Writing down passwords and storing them in a sealed safe, if necessary additionally separating passwords and storing them in two different places.

Use of software: Password managers can appear to be suitable in the above assessment if they are selected appropriately and used correctly.

When using stand-alone programmes as password safes or encrypting password managers, it should be noted that

a few, particularly important passwords must not be stored there and must continue to be remembered (e.g. separate “financial data” such as bank account login, SAP access from other “logins”). .

The password to the password manager must belong to the group of particularly significant passwords. Due to its length and complexity, it must be able to withstand “brute force attacks” for a longer period of time than the change frequency defined for other passwords in the password manager.

Due to the password manager, a separate password is used for each login stored there and no password recycling takes place.

all logins stored in the password manager do not cause any great damage if they are lost and can be easily retrieved.

In cases where a password recovery e-mail is stored with a service and the password to this service is stored in the password manager, special measures are necessary to protect the identity. In these cases, the e-mail password for the deposited e-mail address must not be stored in the password manager. This e-mail password must also be one of the few particularly important passwords and must be memorised. The background to this is that if the contents of the password manager are disclosed, attackers will lock out the authorised user if the compromised identifiers are used for further misuse.

One possible password manager is the product KeePassXC (simple user interface) or for “technicians”: KeePass

This product is characterised not only by the fact that it is available free of charge and, among other things, by a large number of ports for different platforms, although a reliable assessment of the quality and security of the original and its ports is not possible.

Products that manage cloud-based passwords are definitely not recommended due to the storage and data protection issues, despite the apparent ease of use. This also includes the “XXXXX” option, the use of which means that all access data is stored at Google and is thus accessible to Google and the intelligence services.

If it has to be a “cloud solution”, then the cloud storage of the TU Braunschweig is definitely the better solution (e.g. to combine this with keepass).

Further information at: