It is always possible that a security hole opens up somewhere. There is a data breach. Or malware finds its way into the system. The first step is then usually to create new passwords. However, changing passwords alone is not very helpful when it comes to providing more security. In this article you will learn what you should do instead.

Why are new passwords used at all?

Changing passwords is usually the first precautionary measure when there has been an incident. Was data stolen or the system “contaminated” with malware? The first tip is always: new passwords. Especially secure passwords, of course.

It cannot be mentioned often enough: Secure passwords are the first wall of protection against attacks from hackers. Insecure passwords are not a wall, but at best a rotten garden fence. So they don’t stop anyone who wants to enter the property.

However, even the protective wall of strong passwords stands on a cracked foundation. Nevertheless, it is important to use strong passwords and to change them in case of an attack.

The reason is simple: an attack on a system usually targets a specific area of that system. This means that not all areas have to be affected. By changing the passwords, the unaffected areas of the system should be better protected.

An example: an e-mail provider is hacked and user data leaks out. This does not affect all users for a long time. Nevertheless, the provider asks all users to change their passwords, as the attack could reach even further.

It could also be that the hackers are able to decrypt further passwords based on the obtained data. Contrary to popular belief, hackers do not only deal with writing codes meant for attacks. They are also good at evaluating the data they get from these attacks.

Why new passwords alone do not help

The problem with all this, however, is that a new password will not withstand attacks in the long run. The problem is the password itself. Or rather, the concept of the password.

Passwords are used over and over again. Who can remember dozens of passwords for all their accounts? Users use their passwords multiple times or with only minimal changes so they can remember them all.

So if one password is learned, there is a good chance that others will be decrypted as well.

This is how hackers get hold of more data, even if passwords are changed. After all, what’s the point of changing passwords in the hacked system if the same passwords are used for other systems?

What helps instead of new passwords?

So passwords alone are not much help with security issues. But what about an extension? Let’s build another wall of protection around it.

2-factor authentication is a secure system that hackers can cut their teeth on. Provided it’s used properly.

There are 2-factor systems that, for example, send an SMS with a code as a second factor in addition to the password. The problem is that skilled hackers can intercept the SMS and gain access to the system. This happened a few years ago, for example, on the social network Reddit. There, a hacker gained access to Reddit’s cloud via an intercepted SMS with the second factor.

Fortunately, however, there are better methods. For example, 2FA with a TOTP code that can only be used with an authenticator like the one from Reiner SCT. This TOTP code also changes every 30 seconds to provide even more security.

An authenticator provides increased security and makes life difficult for hackers.


New passwords are not a senseless step, but they are not sufficient as the sole security measure. In order to withstand hackers and their ever more advanced methods, a security method as modern as possible, such as an authenticator, should be used.