7 tips for secure passwords and accounts - SecureSafe

First publication date: 04.05.2023

‍

‍

7 tips for secure passwords and modern user account protection

What has changed

Passwords remain a central component of IT security - but their role is changing. This change became clear once again on World Password Day in April 2025: Passkeys and passwordless login procedures are becoming increasingly important, in addition to traditional passwords and multi-factor authentication (MFA).

The US National Institute of Standards and Technology (NIST) now officially recommends this:

https://www.nist.gov/cybersecurity/how-do-i-create-good-password?utm_source=chatgpt.com

• Passphrases at least 15 characters long - rather long than "complex"
• No forced, regular password changes - only in the event of a confirmed incident
• Block frequent or compromised passwords - through automatic filters
• No more security issues - unsafe and outdated

‍

1. long passphrases rather than forced complexity

Use passphrases with 15 or more characters (e.g. "coffee-jam-saturn-luminous"). They are easier to remember, much harder to crack - and comply with NIST recommendations. Complexity rules with special characters and capital letters often lead to worse habits and more frustration.

2. a separate password for each service

Password reuse is a systemic risk: if one is compromised, many others are at risk. NIST strongly advises against this and recommends the use of blocklists for password filtering.

3. complexity is outdated - rely on filters against compromised passwords

Avoid rigid rules such as "at least one capital letter + one number + one special character". The length of the password is more important. Instead, supplement your security strategy with filters for passwords that have already been leaked (e.g. via the HaveIBeenPwned API).

4. activate strong two-factor authentication or passkeys

MFA remains essential - ideally with phishing-resistant factors such as security keys (FIDO/U2F), passkeys or biometric authentication.

5. use a trustworthy password manager

A password manager makes your everyday life easier: it creates secure, random passphrases, recognizes reuse, warns of leaks and stores everything in encrypted form.

6. abolish security issues

These are easy to guess or can be researched publicly. Modern recovery processes rely on email magic links or additional MFA steps instead.

7. use a separate e-mail address for password recovery

If you continue to rely on email for account recovery, use a separate email account exclusively for this purpose - with no connection to your personal or business communications. Protect it with strong MFA.

‍

New in 2025

Actively use passkeys - where available

Passkeys enable logins via biometrics or PIN - and are resistant to phishing attacks.

Avoid regular password changes

Forced changes often lead to weak variants or passwords being written down. NIST recommends changes only if a compromise is suspected.

Plan for barrier-free 2FA

New studies show: Accessible two-factor authentication - with multi-device support, biometrics and passwordless alternatives - significantly improves the user experience for people with disabilities.

‍

Conclusion

Traditional passwords remain a fallback for the time being, but the security world is clearly moving towards passwordless approaches, passkeys and intelligent MFA.

For the moment:

• Use a password manager and create 15+ character passphrases.
• Activate MFA - preferably with passkeys or hardware tokens.
• Rely on the password manager for recovery - not security questions.
• Only change passwords if there are concrete indications of a leak - and rely on live monitoring of compromised access data.

Long, unique passwords + MFA + password manager remain the tried-and-tested combination.
But if you want the best possible protection in 2025, there's no getting around passkeys and real-time leak detection.

‍