- Schalke04 beats Dortmund09 - both have no reason to celebrate
- Most popular passwords not even second class
- Bayer04Lev is champion, but still unsafe
Final spurt - With around 50 days to go until the start of Euro 2024, it's not just the national coach who wants to send his players to training camp. German soccer fans also belong there, say Deutsche Telekom's security experts. Training goal: Password defense. If you take a look at the 30 stolen passwords that are most frequently found in freely accessible public sources, you will immediately see the problem. Even second place belongs to a soccer team. In this table, "Schalke04" is unusually close to the top. Only "Passwort1" can be found more often, as sad as that is.
For the supporters of rivals Borussia Dortmund, this is no reason to gloat. After all, "Borussia" is still in the top 10, with "Dortmund09" in 18th place, although "Borussia" could well be used by Borussia Mönchengladbach fans. However, this rare co-production was not enough to oust Schalke from their dubious second place.
Unfortunately, the enthusiasm for this sport knows no bounds when it comes to the security of accounts. "Football" occupies 20th place on this list. And the most popular individual player has made it to 26th place. He now earns his money in Saudi Arabia, but German fans have not yet forgotten (Christiano) "Ronaldo1". The only drawback for him is that a US basketball player who has been retired for more than 20 years seems to be even more popular as a password. (Michael) "Jordan23" takes 25th place in this table of stolen passwords that were found particularly frequently online in the first quarter of 2024.
Simply too dangerous
Of course, such a list can only be regarded as a random sample without any real significance. Nevertheless, it is very revealing, says Deutsche Telekom Chief Security Officer Thomas Tschersich: "We see that German users continue to choose the most obvious password too often. And that's exactly what makes them vulnerable. If I take the German soccer league table - club by club - and try their names together with all the emails that I can find online with simple means, I unfortunately generate tens of thousands of active access keys. And that's too easy and has never been up to date."
Password spraying is the name of this technique. Cyber criminals simply try out a series of popular passwords they can find in emails as access data for user accounts. And since many people have the habit of having more than one email account, this fact also plays a part in the strategy. What worked with email provider number one can also work with the same username with other providers. The DT security team regularly sees such attempts to spray passwords when analyzing alarms from anomaly detection systems. It also takes revenge that some people use their favorite password for more than one account. This can also be tested en masse with simple "trial and error".
The success strategy for fans
Current guidelines require a password to contain at best one capital letter, one lower-case letter, one number and one special character. This year's German soccer champions are Bayer 04 Leverkusen. Should we really be surprised that the password "Bayer04Lev!" is currently appearing more and more frequently in collections of stolen passwords?
Tip from DT's security experts for soccer fans: Take your favorite passage from the club anthem or the fan curve chant and the first letters of each word. Pay attention to upper and lower case. Ideally, there should be a number in this passage. Put a special character before or after this combination, such as a bracket as a championship trophy ( and you have a personalized password that is not so easy to guess. But it still contains a lot of fan heart and soul.
About Deutsche Telekom: Deutsche Telekom Group profile