Send email Copy Email Address
Sebastian Klöckner

What CISPA’s Sven Bugiel says about two-factor authentication and password managers

Central statements from a radio interview

The question of the right, most secure, even the best password is always topical - both for media representatives and, of course, for cybersecurity researchers. Many people will be particularly interested in this question on February 1. That's "change your password day." The aim of this day of action is to improve general awareness of password security. After all, the rule of regularly changing your password without cause, for example, has not proven itself in practice. Expert in this field and frequently requested discussion partner is CISPA faculty Dr. Sven Bugiel. This year, he has spoken to various media outlets about this topic. We have summarized some of his central statements from a detailed interview with SR1 - Die Europawelle.

Enable two-factor authentication wherever possible

  • Use 2-factor authentication wherever possible, such as a fingerprint, Face ID, or an authentication app. Adding this second line of defense significantly reduces the risk of having your account broken into.

  • However, some second factors are better than others. SMS, in particular, as a second factor is less secure than using an authentication app because SMS itself is vulnerable to attack. Hardware-based solutions (e.g., security USB key or fingerprint) or push notifications are considered the most secure, as they offer the best protection against phishing.

  • The stated goal is to go entirely without passwords, as within the framework of the FIDO Alliance with their FIDO/WebAuthn standard. This provides an interface that allows logging in using as many different ways as possible, e.g. with biometric data such as fingerprint or Face ID. However, for the time being, passwords will not disappear, and you should use the above ways as a second factor until then.

Use password managers for stronger passwords

  • Password managers currently offer the best way to handle login information as long as we have to do with passwords.

  • The automatic filling of passwords by password managers is better than copy and paste (which poses a security risk in itself). They have become very good at recognizing valid websites to avoid phishing. It's also more convenient to not have to type in passwords. Unfortunately, password managers are not always conveniently supported on all devices, for instance, on mobile devices, smart home, or IoT.

  • Use password managers not only to store and paste but more importantly to generate passwords. A password manager is not only a keychain that replaces remembering passwords, but they are also very apt at generating strong passwords. Such passwords then meet all the required characteristics such as sufficient length, complexity, and that they cannot be found in existing dictionaries.

It makes little sense to store weak passwords you create yourself.

  • Do not reuse passwords for different accounts and websites. Creating unique passwords is virtually built-in to password managers. Otherwise, the loss of a single account (which may be perceived as less critical) can compromise all accounts with the same or a very similar password.

And what else is there to consider: Always remain vigilant

  • These rules do not exempt you from general caution when opening an email (attachment) or surfing the web in general. The best password becomes useless the moment it is no longer secret. Phishing is currently a big problem where users are tricked into giving out their passwords themselves or installing malware that steals the password from the user device.


Sven Bugiel is faculty at the CISPA Helmholtz Center for Information Security in Saarbrücken, Germany, and works on the security of mobile systems and hardware-based security architectures. This includes hardware-based authentication methods and the related usability issues of such solutions.


The text was translated by: Oliver Schedler