Latest News
April 29, 2026 | Other
To World Password Day: Improved security instead of constantly changing passwords
Most data breaches occur when a database gets hacked and account data is stolen. This typically happens when vulnerabilities are exploited by attackers. As a consequence, billions of login credentials have been leaked online. So your option now is to change all your passwords. Or you could simply secure your login credentials using the latest technology. Experts at AV-TEST have compiled the following best practices for consumer users, freelancers, and small business owners.
World Password Day
on 7 May 2026
The darknet is awash with leaked datasets from major database hacks. Researchers of online security then compile the compromised data and categorize the login credentials in their research databases. “The Have I Been Pwned? database is one of the most famous resources for data breaches, and it is publicly accessible. Currently it contains login records of 17.5 billion compromised accounts from 972 sources of data breaches. Users can enter their e-mail and check whether their e-mail account appears in a database and if so, which data breach. Of course, the password won’t be listed; there is only an indication of whether or not it was also leaked”, explains Erik Heyland, Head of Testing Labs at AV-TEST.
Changing your password does not normally change the situation
Experts used to always advise users to change their passwords on a regular basis. However, when confronted by the great variety in attack techniques and malware such as infostealers, this is not a tried and true solution anymore. After all, cyberattackers are always seeking out new ways to access systems. Good protection software can successfully prevent these attacks. The ATP tests conducted regularly by AV-TEST attest to this fact. If there is any question about the multitude of ways that threats can gain access to your devices, just take a peek at the AV-ATLAS portal, which is updated in real-time: phishing e-mails, scam e-mails, downloads, infected attachments, just to name a few.
Two-factor authentication (2FA), multi-factor authentication (MFA), passkeys, and biometric security measures are some of the best ways to protect your accounts and passwords. Here is an example affecting consumer users: If all a retail store requires is an e-mail address and password to set up an account, it would be easy to hack the account. However, if users are required to set up 2FA, then the login details are protected by an additional layer of security, namely a numeric code sent by text message, a passkey, or the use of a facial scan. Even if cyberattackers manage to obtain an e-mail and password, they won't be able to log in without this second factor.
How do the protection methods work
2FA and MFA: Instead of relying on only a password, the mobile device becomes a second factor in the authentication process. And when users log in to an account or a service on a desktop computer, they will receive a text message containing a numeric code, which they can enter during the login. The Google Authenticator App (for Android or iOS) can also be used to receive the code. In contrast, MFA uses a minimum of two authentication measures. In addition to the password, users are prompted to enter a PIN or code or confirm using biometrics such as a fingerprint scan, for example. After the initial authentication process for the device, it usually only needs to be repeated every couple of months.
Passkeys: Many Internet services are already using passkeys. It is a secure method by which a cryptographic key pair is generated when a user logs on to a service. One key is securely stored on the user’s device, while a second key is stored by the service. To add an additional layer of protection, users then authenticate themselves by means of the fingerprint scanner, facial recognition feature, or device PIN. The passkeys are automatically synchronized with other devices in a Microsoft, Google, or Apple account.
Biometrics: As mentioned earlier, the authentication process using biometrics involves storing a scan of the user’s face or fingerprint on a device. For access on iOS or Android mobile devices, this procedure is very easy to set up; yet, it is also possible on computers running Windows and MacOS. To do so, the data is encrypted and stored on the device’s security chip – and not with a specific service provider.
Passwords are old hat now – it’s time to use new technology!
It is very easy to implement the methods listed here to enhance the protection of accounts that use your e-mail credentials and passwords for access. Every service provider will normally offer a version of this, or combination thereof. Typically, biometrics are used when it comes to mobile devices, while passkeys and PIN codes are often used for desktop computers. When you set up one of these services, providers also usually give you codes to use in case of emergency. It ensures that you can always access your account, no matter what happens.
But even in this case, it is not smart to rely on scribbled notes or prints. It is best to store the codes in a password manager with a database. For example, you could use the free KeePass for Windows, or you could consider Bitwarden’s cloud service, which is not tied to a specific operating system. We recommend that consumer users and freelancers use local password managers. It means that the file with the passwords can also be easily backed up to a separate location. For small business owners, we recommend using a cloud-based password manager, such as Bitwarden. This tool allows small teams to log in without knowing the actual login details, which also means that they will never be able to leak them. Once an employee leaves the company, all that is necessary is that their access to the password manager be revoked.
Preparedness is better than having to change all your passwords and services. Remember to use effective protection software for your mobile devices and home computers at all times. The AV-TEST team regularly tests security products for Windows, MacOS, and Android devices to check whether they offer adequate protection or not. Have a look for yourself!