Our answers.
What is a good password?
A "good" password should meet two criteria: It should be long and hard to guess. It is often said that a password should contain special characters and numbers. It is true that special characters and numbers increase the number of possibilities for a password, but more digits in the password will increase the number of possibilities significantly more. It is also important not to use words from a dictionary, as attacks often try words found in dictionaries.
How long does a password have to be?
The longer a password is, the better it protects the account from specific attacks. Even though some services still allow 4 to 8 digit passwords, these are far too short from a security perspective. A password should have at least 12 digits. However, it is optimal if a password has 16 or more digits.
Where did you get your data?
We get the identity data leaks by searching different parts of the Internet using different methods. Some of this data is collected automatically by our systems, others we download manually. Important: We do not buy any data! We only use publicly and freely available data! However, the majority of identity data leaks are also freely available and thus do not need to be purchased.
In the result mail I see a password that I never used. How can this be?
In our result emails, we display the first and last characters of the password that is included in the leak data. If you can't match these characters to any of the passwords you have ever used, this can be due to several reasons:
- You used this password a long time ago and forgot that you used it before
- There is a wrong password in our record
We can't verify the authenticity of the data in our databases, of course Criminals sometimes fill in gaps in their records with made-up data, though, so our results emails may contain this information. Only you can decide whether the data is correct and still valid today. However, if you realize that the data does not belong to any account you are using, you do not need to do anything further.
Why has my data been stolen? What did I do wrong?
First and foremost, you did nothing wrong. So how could this happen? At some point you have registered at a service or webshop. When you logged in, your data was stored in the user database of the service. Due to a security incident, such as a hacker attack, parts of the user database were stolen or at least made publicly accessible. Even with a different password, you would not necessarily have been able to protect your data better.
Is it allowed to use a password more than once?
This is a question that cannot be answered directly and clearly. In general, it is much safer to use a different password everywhere - and we advise everyone to do so. However, it is understandable if someone thinks that he cannot remember the large amount of passwords and therefore uses passwords several times. So what does it mean from a security perspective if you use one password on multiple services? In this case, each of those services potentially has the ability to log in to the other services with that password as well. If your password is stolen from one service, then all services where you also use the password are immediately unprotected. Therefore, think carefully about which accounts you want to use the same password for. Your password to your e-mail account should never be reused for other services, as passwords to most services can be reset via the e-mail account.
What is the difference between EIDI and other leakchecker services?
EIDI has a slightly different goal than previous approaches: You will be protected even without actively registering for it beforehand. Existing solutions on the market are not early warning systems in the actual sense. Rather, you can make inquiries there at a certain point in time and then receive a response that is valid at that time. With some services, you can also subscribe to an e-mail service if your data (based solely on the e-mail address) is included in a leak again.
In our perception, your protection can best be ensured by the services where you already have an account. This has many advantages:
- Trust: You don't need to trust any additional service to protect your identity data. Instead, EIDI builds on the trust a user already has in the services they use.
- Data quality: By cooperating with the service providers themselves, the accuracy and quality of the data, in particular, can be assessed immediately.
- Direct communication and warning of affected parties: A customer who logs in to one of our partners with an affected account can be informed directly upon logging in about what data is available, whether their account is affected, and what they can do to restore their account security.
- Data protection: With other leakcheckers, you can also receive information about other people's account data without further verification of your person. This is problematic under German and European law. In order to exclude this, direct communication with the persons concerned is desired and, of course, discretion towards the services.
- Further immediate information via the Leakchecker: If you are informed by a partner that your account security has been compromised, then you will only receive the necessary information to regain account security with this service provider. In addition, you will receive a link to our information website, the Leakchecker. There you can find out what data about you is freely accessible on the Internet, and in our system.
Together with our partners, we can inform all customers if their account security with the partners is compromised. In this way we also reach "Grandma Erna", who would not have found our Leakchecker by herself. Our goal is to connect as many partners as possible and thus increase account security for everyone.
Which forms of digital identities are the research project about in particular?
Our research project is not solely about digital identities. All other identity data can be matched as well. However, there is a limitation to this, which is why we have initially deliberately limited ourselves to some data types (email addresses, names, first names, last names, addresses, account data, credit card numbers, telephone numbers). In Art. 9 of the GDPR, some data is further protected that can be assigned to "special categories" in your life. So, in order not to inadvertently process these data as well, we have developed a whitelist of data types and a procedure to automatically recognize and assign information to these data types.
While the data covered by Art. 9 of the GDPR is highly relevant to data subjects and they probably have a particularly high interest in protecting this data as well, due to the nature of our implementation, this cannot be reconciled with data protection.
Does your solution also help with compliance with the General Data Protection Regulation (notification requirements, notification to data subjects)?
If a partner finds that it has a deviant high hit rate as a service, then it can use our data as a basis for further investigation. We also provide support to implement the reporting obligation accordingly and to provide further information to the affected parties. In principle, we can also do this for media made available offline (such as hard disks) that contain leak data.
What are the results? What can companies test or use?
We are currently in production mode with our partner XING and finishing the test phase with mailbox.org. So if you are a XING customer, you may receive a warning about your account security from XING in the near future. All our partners have worked on the project with great zeal and out of direct protection interest for their customers.
If you are a company that does not offer services to customers, but would like to protect your employees' data, then you can also use our services. We are developing a product portfolio that we can offer to companies for this purpose. Currently, the most frequently requested service is a monthly report on the e-mail addresses of employees. We think this is incredibly important, because this data is also regularly used for logins to customers or suppliers and also for internal services. If you have identified employees who are affected, they can then individually request the actual information via our Leakchecker. We are not allowed to provide this information to the companies themselves without further ado (for data protection reasons, for example because private use is not prohibited.
Are there already users from the business community, such as banks, social networks, and telecommunications providers?
XING, G-Data, Otto and mailbox.org are already involved in the project as direct or associated partners at an early stage as application partners and are planned beyond that. We are currently building up further collaborations, for example to connect colleges and universities to our service. We are already in talks with some telecommunications providers, and we have also received a number of inquiries from banks. Protecting accounts is not only in the interest of the customer, but can also significantly reduce the risk of misuse and fraud for companies.
In particular, for transaction-based processes, such as at banks or online stores, we can offer an interface that checks the active customer account to see whether account security is restricted according to our data situation. If this is the case, the service provider can resort to another factor (telephone consultation, SMS TAN, or similar) to secure this ongoing transaction. The next step would then be to work with the customer to restore account security. This protects both the end user and our partners, who can link this process as part of the fraud management process.