I can’t get in anymore, nowhere: Anyone who has ever experienced this will never use weak passwords again. Photo: Thomas Geiger / dpa-tmn
Many people create their passwords according to the motto “simple instead of secure”. This is shown by the annual password hit list of the Hasso Plattner Institute Many people create their passwords according to the motto “simple instead of secure”. This is shown by the annual password hit list of the Hasso Plattner Institute (HPI): The number sequence “123456” has been the front runner for years, followed by “123456789” and “password” in third place in 2020.
The HPI evaluation is based on millions of leaked access data from .de mail addresses with which the HPI sends a Query database called Identity Leak Checker fills. That means: The data has appeared freely accessible on the Internet at some point and is possibly still circulating there. You can find out whether your own addresses and passwords are included if you feed the leak checker with your email address.
Invitation for hackers
But even if access data is not circulating on the net: Anyone who uses number sequences such as “123456”, keyboard letter sequences à la “asdfgh”, names or terms from the dictionary makes it very easy for hackers. They crack such “passwords” in no time at all.
Top jobs of the day
Find the best jobs now and
be notified by email.
It becomes really critical when you commit the second cardinal error: For convenience, use the same password everywhere. Because all accounts are at risk if the password has been cracked once. It is very likely that a mixture of both neglects was my undoing.
The trouble started shortly before Christmas. A look at the transactions in my bank account delivered an unpleasant surprise: there were various withdrawals from mine Paypal-Account, including ten dubious debits for the odd sum of 12.10 euros.
In retrospect, this strange accumulation was lucky, because I would probably not have considered a single booking. After all, you always order something online and don’t always have everything in view. The ten direct debits were immediately noticeable: I hadn’t ordered anything for days, and certainly not often.
So I want to log into PayPal to check the bookings. But that doesn’t work. Fortunately, the withdrawals can be retrieved via my bank’s online banking. Then call PayPal: The account is blocked.
I don’t notice until the next day that the problem goes even deeper. My e-mail app on my smartphone requires a new registration. But when I enter the password, I just get an error message.
Apparently hackers hijacked my account, I think, and give my email address on the website Haveibeenpwned.com on. There, as with the Identity Leak Checker of the HPI, you can check whether the email address appears on a list of stolen data. And indeed: the address of my mailbox was freely available on the Internet after a data leak.
It is possible that the hackers got my e-mail address like this and cracked my password. And I have to admit: I was one of those people who are “simple instead of safe”. My password was one from the dictionary. The fact that I wrote it in capital letters and added a period at the end because of the special characters required by many services does not really pose problems for hackers who crack passwords with the help of computers.
No more mailbox
So next call to GMX, where I have my e-mail account. Surprising and sobering answer from the clerk: The account no longer exists. It was probably deleted. Deleted? Is it that easy? Yes, is the answer. The option can be found in the settings and is “Delete mailbox”.
It is rather unusual for hackers to proceed in this way, GMX informs on request. Because actually they want to capitalize on the hijacked mailbox. For example, to gain access to other platforms and services. This usually happens in such a way that you click on “Forgot your password” when you register on these pages and a link to reset your password is sent to your e-mail address. Then they have access to the respective page, can for example shop at the expense of their victim or create fake profiles for them.
My mailbox, on the other hand, was irretrievably deleted with all the messages stored in it. And that brings with it completely new problems. In the case of other hijacked accounts, the passwords cannot be easily reset if the e-mail address stored for this purpose no longer exists.
But I’m lucky: My access data is still working for almost all online accounts, so I can log in there and change my email address and password. The hackers had probably not got that far. To have been quick was my salvation at this point.
The only difference is that I can’t get any further on Facebook: The usual password no longer works. And because my stored GMX mailbox no longer exists, the password cannot be changed. To restore the password, access to the e-mail account is essential, Facebook said on request.
There are options to change the password via an alternate email address or phone number. But I haven’t saved both in my Facebook account. And to add the alternative contact information, you need the password – which I don’t know anymore.
For me, the account is now in a sense in the air. At this point, the options in the Facebook help area are exhausted. The social network does not offer a telephone hotline with employees who could help in such tricky cases as PayPal or GMX.
A blue eye
Still: All in all, I got out of the number with a black eye. What I have learned? First, I take to heart two principles that I have ignored for years, out of comfort and against better knowledge. I only use complicated ones secure passwords. And I have a different, unique password for each online account.
Password manager software helps to keep track of things. But a note also works. I opted for the analog variant: I created and wrote down a new password for each account using mnemonics. Of course, there is a residual risk that the note will fall into the wrong hands. As with data backup, a copy in a safe place is a good idea.
One more finding: With activated two-factor authentication ( 2FA) all of this would very likely not have happened. 2FA means that a second code is requested in addition to the password each time you log in. This is often generated – as is the case with GMX or Facebook – a so-called OTP app on the smartphone.
Without access to the smartphone, nobody can hijack the account, even if he or she has the password. You only have to switch on 2FA in the settings of the respective service and install an OTP app such as “FreeOTP” or “Twilio Authy” on your smartphone.
BSI: Tips for secure passwords
BSI: two-factor authentication
Identity Leak Checker des HPI
Leak Checker from the University of Bonn
GMX: Information on two-factor authentication
Facebook: Help with two-factor authentication
Facebook: reset password without access to email address
HPI: Password Hit List 2020
The way to secure passwords
Gibberish instead of a dictionary, jumps on the keyboard instead of simple strings of characters: This is how you can summarize the path to a secure password. The Federal Office for Information Security (BSI) recommends strong passwords with at least 8 characters, the Hasso Plattner Institute (HPI) even recommends at least 15 characters.
The following applies: Use all character classes, i.e. uppercase and lowercase letters, numbers and special characters. When creating and memorizing the hard-to-crack gibberish, mnemonics help to create the password from the first letters of the words and the numbers and characters they contain. Example: “I have an apartment with three rooms and a balcony.” This results in: “IheWm3Z & eB.”
If you don’t want to constantly come up with secure passwords or if you can’t or don’t want to keep them all, you can use a password manager. The programs and apps automatically create strong and secure passwords for any number of accounts and save them. Here you only have to remember a master password for access. That should of course be particularly safe. So a case for the memorandum.