5 golden rules for secure passwords

Password gateway: 80% of data breaches due to insecure passwords

According to Verizon’s Data Breach Investigations Report, over 80% of data breaches are caused by passwords being guessed or stolen. A recent example: when I tried to log in to a long-forgotten website, I received my password in plain text during the password recovery process — a dangerous and outdated practice. Passwords should never be stored or transmitted unencrypted. Instead, they should be securely stored, for example, using hashing.

This incident prompted me to share the five golden rules for secure password management.

---

1. Use strong, unique passwords

A strong password is more than just a complex mix of numbers, letters and special characters. It also needs to be long enough. Security standards such as the OWASP ASVS recommend at least 12 characters. Do not use common passwords such as "password1!" – these can be easily cracked using dictionary attacks. An example of a secure password: MeinAutoHat120PS! (with special characters at the end).

Use a unique password for each application to minimize the risk of a compromised account. Password managers help you to keep track.

2. Never save passwords in plain text

Passwords should never be stored in plain text. Instead, use one-way encryption (hashing) to protect passwords. With a secure hash function like bcrypt, the password is transformed into an unreadable format. Additional protection comes from salting techniques, where random values are added to each password to make brute-force attacks significantly more difficult.

3. Enable multi-factor authentication (MFA)

MFA is an essential security mechanism. It requires more than just a password to log in. Other factors can be:

• Knowledge factors (password, PIN)
• Ownership factors (smartphone, token)
• Biometrics (fingerprint, facial recognition)

MFA also protects even if a password has been stolen. The second factor makes unauthorized access significantly more difficult.

4. Consider the user experience

For example, frequent password changes in the past often led users to create predictable patterns — which attackers can easily guess. A better approach is to change passwords only when there is a clear security incident, not on a fixed schedule. Services like our Credential Leak Monitoring or Have I Been Pwned can help you check whether your credentials have appeared in known data breaches.

5. Enable security notifications

Notifications are a valuable security measure. Users should be alerted when their password is changed or reset, or when unusual activity occurs — such as repeated failed login attempts. Especially login attempts from foreign countries can be a crucial warning sign and help detect potential attacks early.