Many people in Germany still seem to be surprisingly careless when it comes to the internet. At least, that's what the data sets of stolen passwords analyzed by the startup Identeco suggest. According to the data, users often use very insecure and easy-to-crack passwords, and not just for their private accounts. Many seem to be just as careless in their everyday work.
“We have a huge database of criminally obtained access data,” explains Identeco employee Dr. Frank Zickenheiner. “We are constantly adding new stolen information to this database.” The startup has now collected over 50 billion data records. More than 4 billion of these are from this year – meaning they are entries that have not yet been traded on the relevant online exchanges. “All of this data is currently being traded on the internet,” says Zickenheiner. “We therefore assume that at least a large proportion of it is email password combinations that are actually still in use.”
30 million email password combinations evaluated
Identeco has now evaluated almost 30 million of these data records that emerged in 2024. “We focused on three different types of entries,” says Zickenheiner. “Those that we believe are used in a private context. Those used in a private context, those attributable to employees of DAX companies, and those belonging to public service institutions.”
The email address to which the respective password was assigned in the stolen data was used as an indicator. Addresses ending in gmx.de, web.de, or posteo.de indicate private use, unlike uni-bonn.de addresses, for example. “Regardless of the context, number sequences such as 123456 always ended up among the most popular passwords,” says Zickenheiner. “Employees of companies or government agencies also often used their employer's name as their password, usually supplemented by a few additional characters.” Although some passwords did not make it into the top 20, they still occur with striking frequency. For example, references to personal preferences such as movie names (‘starwars’) or soccer clubs (“schalke04”) are common.
Four simple rules for greater security
Passwords like these are easy to crack simply by trial and error. Identeco therefore recommends that users with such combinations change them as soon as possible. In addition, the following four rules should be followed:
1. If possible, each password should only be used for a specific service – for example, one for banking, another for your email account, and a third for your Amazon account.
2. Use a password manager to store your passwords in encrypted form and generate complex passwords automatically. You then only need to remember the master password for the manager to view your stored passwords.
3. Use passwords that are as long and complex as possible, containing special characters, upper and lower case letters, and numbers.
4. Where possible, you should use multi-factor authorization. For example, there are apps that allow you to generate a temporary PIN on your smartphone, which you must enter in addition to your password when logging into an online account.
The startup Identeco emerged as a spin-off from a cybersecurity research project at the University of Bonn. It was accompanied and supported by the university's Transfer Center enaCom. EnaCom offers comprehensive start-up services for startups from the research sector, particularly in the fields of AI and deep tech. Identeco now counts some of the big players among online platforms as its customers.
“For example, we offer our customers the option of comparing their users' email addresses with our database,” says Dr. Matthias Wübbeling, Senior Academic Advisor at the Institute for Computer Science 4 and Managing Director of Identeco. “If the software encounters a combination of email address and password that has already been traded on the darknet, the person concerned is informed. They must then, of course, change their password.”
Various companies are now also using this technology to check new customers: if they enter a stolen password when registering for the first time, the process is interrupted, the user is informed accordingly, and asked to choose a different password. Anyone who wants to know whether they have ever been affected by a data leak can do so using the free Leakchecker at the University of Bonn: https://leakchecker.uni-bonn.de