You are here: Home News Interview with Marc Herbstritt

Interview with Marc Herbstritt

How good data protection can succeed Today, digital information is used in almost every field. But how can it be sensibly secured? Klaus from uniONLINE spoke with Dr. Marc Herbstritt from the university's computer centre about secure passwords, backups and spam emails.

Hello Mr Herbstritt, you are responsible for information security at the University of Freiburg. Digital information is often protected from unauthorised access by means of a password. What makes a good password?

There are various recommendations. The tendency is to go longer in order to better protect against so-called "brute force attacks". In such attacks, all password possibilities are tried out, and this naturally becomes more difficult the longer the password is. It is similar to a combination lock: with 3 setting keys there are 1000 options and with a 4th digit you have an order of magnitude more.

In the meantime, a password length of at least 10 characters is recommended, I would even go towards 12 and always include special characters.

It is also clearly recommended to use a different password for each service. This is because if, for example, customer data is disclosed in a web shop through an attack - and this happens quite regularly - attackers get access to all data that touches this customer access. Using the same password for different services can therefore be very risky.

A good password should be secure, but also always available. Remembering all your own passwords seems unrealistic, nor does anyone want to have a notebook with them at all times. What password management options can you recommend?

Password managers are a good option. Here, you only have to remember one main password in order to access all other passwords. Password managers also have the advantage that they often offer automatic password generation.

There are some free options in the open source area. Within the university, we recommend the programme KeePass (link in the info box).

However, you should be careful with providers who store their passwords in a cloud. In the past, there have been cases where these were compromised by an attacker, who then naturally has access to a large number of passwords. I would take such password managers with a grain of salt.

In the case of password managers that work locally and store the passwords on their own system, an external backup of the password file should be ensured in any case. Because if the computer is lost, access to the passwords is still possible. This is where the issue of backups comes into play.

What options are available for creating backups of important data and how often should one make a backup?

It is important to set a certain regularity for yourself. Here, it is a good idea to work with external hard disks or USB memory sticks.

The various operating systems offer their own mechanisms for organising backups. The settings for the backup can be easily found via the search function on the respective operating system.

Here you can also define which contents are to be backed up and with what regularity. It is important to first make clear which data you want to back up. Operating system data does not need to be backed up regularly, it requires a lot of memory and can be restored without any problems.

For students, it makes sense to back up important private data and documents related to their studies. For final papers and seminar papers, you should make a backup at least once a week, or more frequently depending on the extent of the daily changes.

Students will not be able to avoid managing their own email account. How secure is the exchange of information by e-mail?

That is an exciting question. If you were to ask the operators here, the answer would probably be "very secure". Let's put it this way: all the protocols on which an e-mail exchange is based are now somewhat outdated and not necessarily geared to today's security requirements.

This can lead to information being disclosed by third parties. Providers are gradually trying to close security gaps here and also increasingly build up an infrastructure that is reasonably reliable in order to keep data confidential. Encrypting emails is also another option to protect data from access.

A friend of mine constantly gets e-mails from strangers with links to questionable offers on the Internet. Is it true that one can be harmed via such e-mails?

You are talking about the category of so-called phishing or spam e-mails. Here, the main danger is that one can fall for such e-mails. The scenarios are very diverse. For example, a file attachment may be included in the e-mail, which is then used to install malware, or you may be asked to enter your access data on a fake website.

Many e-mail providers offer spam folders. By moving such unwanted mails to this folder, your own mailbox can learn and theoretically sort out these mails directly in the future. This can help to reduce the amount of such mails you receive. The problem is that even in this way it is technically impossible to automatically recognise all phishing e-mails.

It is therefore unfortunately not possible to simply stop receiving these e-mails. The only thing that helps here is to be sensitised accordingly and to know which characteristics can be used to identify such emails.

Colleagues from the Karlsruhe Institute of Technology, the KIT, have developed the No-Phish-Quiz for this purpose. In my view, this is a very useful measure for students to build up their own competence in identifying and evaluating phishing emails (link to the NoPhish Quiz in the info box).

In addition to emails, many students use social media, messenger services such as WhatsApp, Telegram, Signal and Co to exchange information. How well protected is this information?

The messenger services mentioned have different levels of protection for the communication that takes place via them. Some have end-to-end encryption, which ensures that a so-called "man-in-the-middle" cannot eavesdrop on things. If there is no end-to-end encryption, then the communication is relatively exposed, as with email.

My recommendation is to make sure when choosing a messenger service that it supports end-to-end encryption.

In addition to emails, many students use social media, messenger services such as WhatsApp, Telegram, Signal and Co to exchange information. How well is this information protected?

The messenger services mentioned have different levels of protection for the communication that takes place via them. Some have end-to-end encryption, which ensures that a so-called "man-in-the-middle" cannot eavesdrop on things. If there is no end-to-end encryption, then the communication is relatively exposed, as with email.

My recommendation is to make sure when choosing a messenger service that it supports end-to-end encryption.

Not only passwords and private messages can be intercepted, but also user data, and quite legally, with the help of so-called "cookies". What privacy settings are available to users here?

At the moment, unfortunately, the only option is to take a close look at the cookie requirements of the network operators and consciously make your own settings. Usually, when you call up a website, you are presented with a window in which you have the option of simply accepting all cookies, rejecting all cookies or setting a compromise in between.

With these cookie requests, you actually always have the option to make settings. If you use a site often, then it makes sense to go over it properly once and decide which data you want to pass on here and which not. Apart from that, typical internet browsers often have functions with which you can block certain cookies and monitor these processes better. It's definitely worth taking a look at the settings of your own internet browser.

To work safely, system updates are also important. My computer constantly alerts me to pending updates and then wants to be restarted. I think I speak for many people here when I say that I often put this off. Is this dangerous?

Dangerous is perhaps the wrong term, it's more risky. You simply have to realise that these updates not only add new functionalities, but often close security gaps. Therefore, the basic recommendation is to install the updates quickly.

Of course, this applies not only to operating system updates, but also to updates for programmes that use them.

Which virus protection programme is useful for students?

The programmes that come standard with the operating system are usually sufficient. In the case of MacOS, you will also receive virus protection updates via system updates. With Windows systems, on the other hand, Defender, which is pre-installed by Microsoft as standard, provides good basic protection.

What should students do if they notice suspicious activities on their own computer or user profile? For example, by receiving a message from their own virus protection programme.

The most important recommendation is to first disconnect the device from the internet. This prevents the malware that may have installed itself from communicating with the outside world and downloading more content to spread more on the device. This means switching off WLAN or removing the LAN cable.

Depending on how serious the case is, you will not have much left but to re-install the system. If you then have a good backup, this is bearable. Typically, this is the easiest and also the safest way.

Is there a service at the university that can help students with computer problems?

Unfortunately, we can't offer such a service for students at the university at the moment.

However, there are commercial shops in Freiburg that are equipped with the appropriate knowledge and devices that can help you.

If you are affected by a virus attack, my recommendation to students is to re-install the operating system. A backup plays a big role here, and I should take care of it beforehand. You should also check and, if necessary, change the access data to the online services you use, especially for e-mail, online shopping and banking.