Blog

The Classic Password

The classic way to log in, which all of us know, is with a password. Ideally, you choose one that is not easy to crack, meaning it includes uppercase and lowercase letters, numbers, special characters, and preferably more than 20 characters. With my password generator you can easily create a secure password. This is the basic requirement, since many people use passwords that are too weak or reuse the same ones over and over.

The problem with reused passwords is that in the event of a data breach hackers do not just gain access to one of your accounts but to several at once. That is why a password should always be strong and unique.

Apart from official media reports when major sites experience breaches, you should also regularly use online tools or account security checks to see whether your password has appeared in a data leak. If that is the case, change the affected password immediately and, if you used the same password elsewhere against my advice, change it there as well.

Password Manager

The best way to store all your passwords is with a password manager. This can be an external service like Bitwarden, 1Password or KeePass, or you can use integrated solutions such as Microsoft, Apple iCloud or Google. The advantage is that you only need to remember one master password to access all your saved passwords.

Here comes the crucial point: If someone were to crack your master password, they would theoretically have access to everything. Fortunately, there are excellent ways to protect yourself with an additional layer of security, such as two-factor authentication, which we will take a closer look at in a moment.

Login via OAuth

You have probably seen that many services offer login through platforms like Google, Apple, Facebook or similar accounts. Technically, this works through what is called the OAuth process. Instead of entering your password at the new service, you only log in with the provider (for example Google). The service then only receives confirmation that your account exists and that the login was successful.

The convenient part of this login method is that you do not have to remember an additional password and can sign in with just one click. Even if the new service is affected by a data breach, your login credentials remain safe because they were never stored there in the first place.

One drawback, however, can be dependency. If you run into issues with your main account, you may lose access to all other services you use through this login.

Adding a Second Layer to Your Password

With two-factor authentication, a second step is added to the password entry. This means that even if you or a hacker enter the correct password, a second factor is required to log in. Without this second factor, access is not possible. This is especially important for your password manager and should, if possible, be enabled for all services that offer it, such as online banking, trading, social media or even for sites you only rarely use. After all, you want to make sure that no one gains unauthorized access there either.

Many services now offer 2FA. The method used as the second factor alongside your password can vary and often you can choose between several options or even activate multiple ones at the same time. But caution is needed here. If you enable too many options, you create additional attack surfaces, because each factor could theoretically become a target for hackers.

Authenticator App

The most practical method is an authenticator app such as Google Authenticator, Microsoft Authenticator, Authy or similar. Setting it up is very simple. You install the app on your smartphone, scan a QR code provided by the service and from then on the app generates a constantly changing code. Each time you log in, you first enter your password as usual and then the current code from the app. The advantage is that without this code no one can get into your account. The drawback is that you always need to have the device with the app on you, which in practice almost everyone does anyway.

You can also secure the app itself, for example with biometric data such as fingerprint or facial recognition, or with a PIN. This way, even someone who gets hold of your smartphone cannot simply access the codes.

If you choose 2FA via authenticator app, keep in mind that it is very important to have a safe recovery method in case you lose your smartphone or it becomes defective. This can be done with backup codes, which you can usually generate directly in the authenticator app or in the account of the service (for example Google). It is best to print out these codes and store them in a secure place (such as a safe) without directly labeling what they are for.

Hardware Security Keys

Hardware security keys are small devices such as USB sticks or NFC tokens that you plug into your device or use contactlessly when logging in to authenticate yourself. They provide an extremely high level of security, because even if a hacker knows your password, they cannot access your account without the key. The disadvantage is the practical use, since you always need to carry the key with you, otherwise you cannot log in. If you use multiple devices, the key often has to be set up on each of them as well. In addition, losing the device is more complicated to deal with than with an authenticator app, because recovery options are more limited. For that reason, the authenticator app is the better choice for most users in practice.

Other Two-Factor Methods

Besides authenticator apps and hardware keys, there are other ways to use two-factor authentication, but they are less secure. The most common example is logging in with an SMS code. In this case, you receive a one-time code on your phone that you enter during login. The advantage is convenience, since almost everyone has a phone. The disadvantage is that SMS is vulnerable to attacks such as SIM swapping, where an attacker takes over your phone number and intercepts the codes.

Methods like SMS, phone calls where a code is read to you, or email codes that are sent to you are all generally better than having no two-factor authentication at all, but they do not offer the same level of security as authenticator apps or hardware keys.

My advice is to only use these methods if no better option is available. I also recommend against using them as an additional backup for an authenticator app. For example, if you lose your smartphone, it might seem convenient to restore access directly with a replacement phone and SMS 2FA. But this is exactly where the weakness of these suboptimal methods shows and it can essentially cancel out the security advantage of a proper authenticator app. The more different options you activate, the more potential loopholes are created. It is best to focus on a single strong second factor and leave it at that.

The Safest Password Is No Password

Passkeys are the most modern login method and are currently considered the most secure. They are based on the FIDO2/WebAuthn standard and completely replace the traditional password. They work with devices that support biometric data such as fingerprints or facial recognition. During setup, your device creates a key pair consisting of a private key, which remains securely on your device and a public key, which is stored with the service.

When you log in, the service checks the public key and your device automatically provides the matching private key. You do not have to enter a password or remember a code. The advantage is clear. Passkeys cannot be hacked, guessed, or phished and access to your account is only possible through your registered device. The disadvantage is that not all services support passkeys yet, although adoption is steadily increasing. Wherever passkeys are already available, it is worth using them, because they simply offer the highest level of security.

Here too it makes sense to set up a backup option, such as a second registered device or a secure cloud backup function in case your main device is lost or broken. Many password managers now allow you to store and sync passkeys, so you can access them across multiple devices and restore them without hassle.

Closing Words

My advice is clear. Use a strong password everywhere and store it in a password manager, including two-factor authentication through an authenticator app that is additionally secured with biometric data. Wherever possible, use passkeys for even more security. Backup codes that you keep for recovery should only be stored in printed form in a safe, without any direct indication of what they are for. This way, you are well protected even in the event of data leaks and can stay relaxed while others start sweating when another major breach is announced.

Also keep in mind that in data leaks it's often not just passwords that are stolen, but other sensitive information such as addresses, health data or credit card details. In these cases, the security of your login method unfortunately doesn't matter. That's why you should always carefully consider which sensitive data you store on which sites and keep possible scenarios in mind in case hackers gain access.

Remember too that it's not just data leaks that pose a risk. Targeted, personalized phishing attacks can also result in your login details falling into the wrong hands. Stay vigilant with emails, messages or links that ask you to enter passwords or codes.