Bad password: these are the consequences of identity theft

display

This text is about what can happen if, against your better judgment, you are not so strict about passwords on the Internet.

And of the massive problems that can lead to: a hacked mailbox, a lot of phone calls, a check of all online accounts and a hanging game on Facebook.

Many people create their passwords according to the motto “simple instead of secure”.

This is shown by the annual password hit list of the Hasso Plattner Institute (HPI): The number sequence “123456” has been the front runner for years, followed in 2020 by “123456789” and “password” in third place.

The HPI evaluation is based on millions of leaked access data from .de mail addresses with which the HPI fills a query database called Identity Leak Checker.

display

That means: The data has appeared freely accessible on the Internet at some point and is possibly still circulating there.

You can find out whether your own addresses and passwords are included if you feed the leak checker with your email addresses.

Bad passwords are invitations to hackers

But even if access data is not circulating on the net: Anyone who uses number sequences such as “123456”, keyboard letter sequences à la “asdfgh”, names or terms from the dictionary makes it very easy for hackers.

They crack such “passwords” in no time at all.

It becomes really critical when you commit the second cardinal error: For convenience, use the same password everywhere.

Because all accounts are at risk if the password has been cracked once.

It is very likely that a mixture of both neglects was my undoing.

display

The trouble started shortly before Christmas.

A look at the sales of my bank account delivered an unpleasant surprise: There were various debits from my PayPal account, including ten dubious debits for the odd sum of 12.10 euros.

In retrospect, this strange accumulation was lucky, because I would probably not have considered a single booking.

After all, you always order something online and don't always have everything in view.

The ten direct debits were immediately noticeable: I hadn't ordered anything for days, and certainly not often.

So I want to log into PayPal to check the bookings.

But that doesn't work.

Fortunately, the withdrawals can be retrieved via my bank's online banking.

Then call PayPal: The account is blocked.

Error entering the password

display

I don't notice until the next day that the problem goes even deeper.

My e-mail app on my smartphone requires a new registration.

But when I enter the password, I just get an error message.

Apparently hackers hijacked my account, I think, and enter my email address on the Haveibeenpwned.com website.

There, as with the Identity Leak Checker of the HPI, you can check whether the email address appears on a list of stolen data.

And indeed: the address of my mailbox was freely available on the Internet after a data leak.

It is possible that the hackers got my email address and cracked my password.

And I have to admit: I was one of those people who are “simple instead of safe” on the go.

My password was one from the dictionary.

The fact that I wrote it in capital letters and added a period at the end because of the special characters required by many services does not really pose problems for hackers who crack passwords with the help of computers.

No more mailbox

So next call to GMX, where I have my e-mail account.

Surprising and sobering answer from the clerk: The account no longer exists.

It was probably deleted.

Deleted?

Is it that easy?

Yes, is the answer.

The option can be found in the settings and is "Delete mailbox".

It is rather unusual for hackers to proceed in this way, GMX informs on request.

Because actually they want to capitalize on the hijacked mailbox.

For example, to gain access to other platforms and services.

This usually happens in such a way that you click on "Forgot your password" when registering on these pages and a link to reset your password is sent to your e-mail address.

They then have access to the respective page, can for example shop at the expense of their victim or even create fake profiles.

display

My mailbox, on the other hand, was irretrievably deleted with all the messages stored in it.

And that brings with it completely new problems.

In the case of other hijacked accounts, the passwords cannot be easily reset if the e-mail address stored for this purpose no longer exists.

But I'm lucky: My access data is still working for almost all online accounts, so I can log in there and change my email address and password.

The hackers had probably not got that far.

To have been quick was my salvation at this point.

The Facebook problem

The only difference is that I can't get any further on Facebook: The usual password no longer works.

And because my stored GMX mailbox no longer exists, the password cannot be changed.

To restore the password, access to the e-mail account is essential, Facebook said on request.

While there are options to change the password via an alternate email address or phone number.

But I haven't saved both in my Facebook account.

And to add the alternative contact information, you need the password - which I don't know anymore.

For me, the account is now, so to speak, in the air.

At this point, the options in the Facebook help area are exhausted.

The social network does not offer a telephone hotline with employees who could help in such tricky cases as PayPal or GMX have.

Password manager and two-factor authentication

Still: All in all, I got out of the number with a black eye.

What I have learned?

First, I take to heart two principles that I have ignored for years, out of comfort and against my better judgment.

I only use complicated, secure passwords.

And I have a different, unique password for each online account.

Password manager software helps to keep track of things.

But a note also works.

I opted for the analog variant: I created and wrote down a new password for each account using mnemonics.

Of course, there is a residual risk that the note will fall into the wrong hands.

As with data backup, a copy in a safe place is a good idea.

Another finding: With activated two-factor authentication (2FA) none of this would have happened with a very high probability.

2FA means that a second code is requested in addition to the password each time you log in.

This is often generated - as is the case with GMX or Facebook - a so-called OTP app on the smartphone.

display

Without access to the smartphone, nobody can hijack the account, even if he or she has the password.

You only have to switch on 2FA in the settings of the respective service and install an OTP app such as "FreeOTP" or "Twilio Authy" on the smartphone.

The way to secure passwords

Gibberish instead of a dictionary, jumps on the keyboard instead of simple strings of characters: This is how you can summarize the path to a secure password.

The Federal Office for Information Security (BSI) recommends strong passwords with at least eight characters, the Hasso Plattner Institute (HPI) even recommends at least 15 characters.

The following applies: Use all character classes, i.e. uppercase and lowercase letters, numbers and special characters.

When creating and memorizing the hard-to-crack gibberish, mnemonics help to form the password from the first letters of the words and the numbers and characters they contain.

Example: "I have an apartment with three rooms and a balcony." This results in: "IheWm3Z & eB."

If you don't want to constantly come up with secure passwords or if you can't or don't want to keep them all, you can use a password manager.

The programs and apps automatically create strong and secure passwords for any number of accounts and save them.

Here you only have to remember a master password for access.

That should of course be particularly safe.

So a case for the memorandum.

At least eight characters, all character classes and the bottom line is gibberish that is not in the book: This is what a secure password looks like

Source: dpa-tmn