Passwords

Guide to Password Security

Why Strong Passwords and Multi-Factor Authentication Are Essential Today

Why Password Security Matters

Passwords are the first line of defense against unauthorized access.
An insecure password can allow attackers to:

  • Access email accounts
  • Reset nearly all other accounts
  • Commit identity theft
  • Cause data loss or reputational damage
  • Access corporate resources

Because most accounts can be reset via a private or business email address, having a secure email password is absolutely critical.

If an attacker controls your email, they control almost everything.

What Is a Secure Password?

A good password must have three qualities:

  • Long
  • Complex
  • Unpredictable

Most security experts recommend:

  • At least 16–20 characters
  • A mix of uppercase, lowercase, numbers, and special characters
  • Optionally, also use international special characters such as:
    ä, ö, ü, ß, ñ, ç, ø, å, é, á, or other non-ASCII characters.

Note: International special characters are not available on all keyboards.

Avoid:

  • Dictionary words (unless using the passphrase method)
  • Personal information (birthdates, pets, names, etc.)

How to Create a Strong Password

Option A: Passphrase Method (“Four-Word Method”)

Combine 4–5 random words:

Example:
Cup-Cloud-Jump-47-Zebra

Advantages:

  • Very hard to crack
  • Easy to remember
  • Very long (high entropy)

Option B: Random Password (Password Generator)

A completely random character sequence:

Example:
nV5$kR1!pQz8@hf2

Advantages:

  • Extremely secure

Disadvantage:

  • Only practical with a password manager

Option C: Sentence Method

Convert a sentence into a password:

“My favorite pizza I eat 2 times a week!” →
MLpeich2mpW!

Common Password Mistakes

  • Reusing the same password across multiple sites
  • Using short or simple passwords
  • Using personal data (name, birthdate, school, etc.)
  • Storing passwords in notes apps, text files, or browsers
  • Sharing passwords via email or messenger
  • Ignoring password changes after a leak

A single leaked password can trigger a chain reaction (credential stuffing).

Why Multi-Factor Authentication (MFA) Is Mandatory

MFA is not “nice to have” – it is a lifeline for your account.

What Is MFA?

A second security layer is required in addition to your password, such as:

  • App approval (Microsoft Authenticator, Google Authenticator)
  • Hardware keys (YubiKey, Titan Key)
  • SMS code (less secure but better than no MFA)

Why MFA Is Absolutely Necessary

Even strong passwords can be:

  • Stolen through phishing
  • Exposed in data breaches
  • Captured by malware
  • Guessed or brute-forced

MFA prevents 99.9% of account attacks – even if the password is known.

If most of your accounts can be reset via your email, then:

Without MFA on your email account, all other accounts are at risk.

Advantages of Passkeys (The Future of Authentication)

Passkeys are increasingly replacing passwords and offer high security.

Benefits

  • No passwords that can be stolen
  • No phishing possible (passkeys only work on the legitimate website)
  • No reuse issues
  • Automatic cryptographic key pairs
  • Works via smartphone, browser, or biometrics (FaceID, fingerprint)
  • Synchronizable via Apple iCloud, Google, or password managers

Passkeys are more user-friendly and far more secure than classic passwords.

Recommendations: Best Password Managers (Private Use, iOS & Android)

All password managers below are:

  • Secure (zero-knowledge encryption)
  • Available on iOS, Android, Windows & Mac
  • Browser compatible (Chrome, Edge, Firefox, Safari)
  • Offer password generators, secure notes, MFA support & passkey support

Top Password Managers 2025

1. Bitwarden (Free & Premium) – Recommended for Students/Apprentices

  • Free basic plan
  • Open source
  • Excellent security architecture
  • App + browser integration
    Link: Bitwarden Website

2. 1Password

  • Excellent design & usability
  • Very good for families and teams
  • Strong MFA and passkey support
    Link: 1Password Website

3. Dashlane

  • Very good web interface
  • Includes dark web monitoring
  • Passkey support
    Link: Dashlane Website

4. Enpass (Local storage possible)

5. KeePass / KeePassXC (Free, more technical)

Practical Tips for Better Security

✔️ Never store passwords in plain text (notes, text files, etc.)
✔️ Use a unique password for every service
✔️ Enable MFA wherever possible
✔️ Use a password manager instead of trying to remember everything
✔️ Regularly check if your accounts have been leaked:
Have I Been Pwned

✔️ Update passwords immediately after security incidents
✔️ Use passkeys when a service supports them

Summary

Security MeasureImportance
Strong passwordsFirst layer of protection against attacks
Password managerPractical, secure, prevents password reuse
MFAMandatory, protects even if the password is stolen
PasskeysFuture technology, prevents phishing & password leaks
Security awarenessMost important foundation for defending against attacks

Security – 10 Tipps zu sicheren Passwörtern

  1. Das Sicherste Kennwort benötigen Sie für Ihren Mailaccount da dort alle anderen Services zurückgesetzt werden können.
  2. Nutzen Sie “sinnlose” Zeichenfolgen (Hacker nutzen gerne existierende Worte bei Attacken)
  3. Passwörter länger 16 Zeichen erhöhen die Sicherheit dieser enorm.
  4. Verwende keine logischen Zeichenketten wie z.B. 1234567890 oder Geburtsdaten.
  5. Sonderzeichen erhöhen die Sicherheit z.B. 03’10#19?90 – Ein Datum mit Sonderzeichen einfach zu merken.
  6. Grundsaetzlich sind Passwörter nur so lange Sicher bis Sie es jemandem sagen.
  7. Glauben Sie nicht das Ihre Konten/Accounts nicht für andere Personen uninteressant sind. 
  8. Verwenden Sie JEDES PASSWORT nur ein mal pro DIENST
  9. Nutzen Sie keine Worte aus Ihrem direkten Umfeld oder besser gar keine Worte.
  10. Nutzen Sie Password Safes und vorgeschlagene kryptische Passwörter

Permission setup commands

Here are a few useful commands to setup Windows file permissions.

Take Ownership of a folder(including files and subfolders)
Takeown /f foldername /r /d y

Reset Permission of folder(including all files and subfolders) to Inherit
Icacls folder /reset /T

disable inheritance for a
icacls Folder/inheritance:d

Set read permission for AD group on folder and subfolder
Icalcs Folder /grant domain\Groupname:(OI)(CI)RX /T

Set modify permission for AD group on folder and subfolder
Icalcs Folder /grant domain\Groupname:(OI)(CI)M /T

Set listing permission to this folder only
Icacls Folder /grant domain\group:(X,RD)

Remove Permission from Folder and subfolder
Icacls folder /remove domain\group

Mac OS – Repair volume and disks via command line (terminal app)

To Repair the volumes and disks via command line there are a few easy to use commands:
Open the Terminal App.

  1. Volumes
    1. Verify volumes
      1. check all volumes: diskutil verifyvolume / 
      2. check a specific volume: diskutil verifyvolume /volumes/[volume name]   example diskutil verifyvolume /volumes/macos
    2. repair disks
      1. repair all volumes: diskutil repairvolume /
      2. repair a specific volume: diskutil repairvolume /volumes/[volume name] example diskutil repairvolume /volumes/macos
  2. Disks
    1. Verify the disks
      1. check all disks: diskutil verifydisk /
      2. check a specific disk: diskutil verifydisk /dev/[disk number] example diskutil verifydisk /dev/disk0
    2. Repair disks
      1. repair all disks: diskutil repairdisk /
      2. repair a specific disk: diskutil repairdisk /dev/[disk number] example diskutil repairdisk /dev/disk0

With these simple commands you can check the health status of your volumes and disks and if needed repair them.
These commands also work in the recovery mode.
But you have to use sudo in front of it to get access to the disks or volumes

Windows – Supportscript for needed IT infos

For my job its important to get fast informations from users.
Most of them are always the same.
What is your actual IP address, whats your Hostname, do you have local admin rights, which networkprinters are connected and so on.
To get these Information fast and without explain the user every time how to get these Informations, I build a script for it.
This script will be added via GPO to every user’s startmenu.
This should work on all clients with PowerShell 3 installed.
This is what I build with Powershell.
First I added some variables for the actual date:
$vdate = get-date -Format d
After that I added a varibale for the path of the logfile and check if the file exists and if it exists to telete it:
$FileName = "C:\Users\" + [Environment]::UserName + "\Desktop\" + [Environment]::UserName +"_" + $vdate + ".txt"
if (Test-Path $FileName) {
Remove-Item $FileName
If you use DELL devices in your company, it’s important to have the Serial (ServiceTag) and the Express Service Code.
To get the Express Service Code (will be calculated from the Service Tag Value) I added a function to my script:
Function Get-ExpressServiceCode {
Param
(
$ServiceTag = (Get-WMIObject -Class Win32_Bios).serialnumber
)
$Base = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"
$Length = $ServiceTag.Length
For ($CurrentChar = $Length; $CurrentChar -ge 0; $CurrentChar--) {
$Out = $Out + [int64](([Math]::Pow(36, ($CurrentChar - 1)))*($Base.IndexOf($ServiceTag[($Length - $CurrentChar)])))
}
$Out
}
Now I added the Powershell command to receive the Hostname and write it to the Logfile:
$CN = "01. Hostname: "
$CN += get-content env:computername
$CN >> $FileName
Next, I added a script to check the local active IPv4 addresses and check if one of these is an IP out of our VPN range (change xxx.xxx to your IP Range):
$ip=get-WmiObject Win32_NetworkAdapterConfiguration|Where {$_.Ipaddress.length -gt 1}
$d = $ip.ipaddress[0]
$ip |foreach {
if($ip.VALUE -like "xxx.xxx*")
{ $d = $ip.VALUE}
}
$ip = "02. IP-Address: "
$ip += $d
$ip >> $FileName

Now I added a script that checks if the User which is logged on have local admin rights and write the result in the logfile:
$LA ="03. Local Adminrights: no"
if(([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))
{$LA ="03. Local Adminrights: yes"}
$LA >> $FileName
Next step is to check the Vendor, the Model, ServiceTag and Express Service Code of your Client:
$vendor = "04. Vendor: "
$vendor += (Get-WMIObject -Class Win32_Bios).Manufacturer
$vendor >> $FileName
$vModel = "05. Model: "
$vModel += (Get-WmiObject -Class:Win32_ComputerSystem).Model
$vModel >> $FileName
$Service = "06. Service tag: "
$Service += (Get-WMIObject -Class Win32_Bios).serialnumber
$Service >> $FileName
$vESCode = "07. Express Service Code: "
$vESCode += (Get-ExpressServiceCode)
$vESCode >> $FileName
After that we add some code to get our actual BIOS Version:
$Bios = "08. Bios Version: "
$Bios += (Get-WMIObject -Class Win32_Bios).SMBIOSBIOSVersion
$Bios >> $FileName
The next Script will show the connected Printers including the Servername and the UNC Path of the Printer:
"09. connected network printers" >> $FileName
$Printer = Get-WMIObject -Class Win32_Printer| where {$_.Location.length -gt 1}
$Printer |foreach {
$prnName = "Name: "
$prnName += $_.ShareName
$prnName >> $FileName
$prnServer = "Printserver: "
$prnServer += $_.SystemName
$prnServer >> $FileName
$linkprn = "Link: "
$linkprn += $_.SystemName + "\" + $_.ShareName
$linkprn >> $FileName
" " >> $FileName
}

Now we have to theck the connected network shares:
"10. connected networkshares" >> $FileName
$vitns = Get-WmiObject -class "Win32_MappedLogicalDisk"
$vitns | foreach {
$vitnsnp = $_.Name + " " + $_.ProviderName
$vitnsnp >> $FileName
}
" " >> $FileName

The last script we add is a list of users and groups who are members of the local admin Group.
I added this one because I want to see all members too and a separate entry for the local user.
"11. members of local administrators group" >> $FileName
net localgroup administrators | where {$_ -AND $_ -notmatch "command completed successfully"} | select -skip 4 >> $FileName
$Delete = Get-Content $Filename
$del = "Der Befehl wurde erfolgreich ausgefhrt."
$Delete = $Delete | Where {$_ -ne $del}
$Delete | Out-File $FileName -Force
To Open the file, we just add the invoke-item command to the script:
Invoke-Item $FileName
Youre done.
The Result of this is good for our support.
Maybe you can use some of these scripts for yours 🙂

01. Hostname: NB0815
02. IP-Address: 10.xxx.xxx.xxx
03. Local Adminrights: yes
04. Vendor: Dell Inc.
05. Model: Latitude E7440
06. Service tag: xxxx
07. Express Service Code: 123456789
08. Bios Version: A10
09. connected network printers
Name: PRN1234
Printserver: \\SRV0001
Link: \\SRV0001\PRN1234
Name: PRN456
Printserver: \\SRV0001
Link: \\SRV0001\PRN456
10. connected networkshares
H: \\Domain.local\dfs$\Data
U: \\Domain.local\dfs$\home\username
11. members of local administrators group
Administrator
domain.local\Domain Admins
domain.local\SysAdmins

I think I will add some more options for this in the future.
Have fun with it…

OSX – Force shutdown of a MacBook Air or Retina

To force shutdown a MacBook without the eject Key, you can use the following keys:
Command + Control + Option + Power button
After a few seconds, your MacBook will shutdown and you can restart it with pressing the power button.
A force shutdown could be helpful if your MacBook won’t work after falling into sleepmode.
Before you do this, you should try to force quit applications by pushing this keys:
Command + Option + Esc

Windows – Permission commands

Here are a few useful commands to setup Windows file permissions.
take ownership of a folder(including files and subfolders)
Takeown /f foldername /r /d y
reset permission of folder (including all files and subfolders) to inherit
Icacls folder /reset /T
disable inheritance for a folder
icacls Folder/inheritance:d
Set read permission for AD group on folder and subfolder
Icalcs Folder /grant domain\Groupname:(OI)(CI)RX /T
Set modify permission for AD group on folder and subfolder
Icalcs Folder /grant domain\Groupname:(OI)(CI)M /T
Set listing permission for AD group to this folder only
Icacls Folder /grant domain\group:(X,RD)
Remove Permission from Folder and subfolder
Icacls folder /remove domain\group