19

Intro

I have a free mail account on this (german) website. If I type my password wrong I get, once successfully logged in, a message telling me about my failed log-in attempt.

Problem

Recently I noticed that from day to day the site notifies me of numerous failed log-in attempts (between 8 and 32). There is no feature as in GMail, where location and device of the failed log-in are recorded, so I am a bit in the dark. And also quite worried.

Question

I have changed my password everday for four days now. Immediately closing the account is not an option since I still have to compile a list where this mail address is used.

What appropriate steps to secure my account are to be taken at this point?

Update

The log-in attempts have declined over the last three days, maxing out at around ten altogether. Yesterday there was no failed log-in attempt logged. Nevertheless I resorted to your many suggestions and

  • contacted GMX support, but have not heard back from them (certainly not using their 3€/min rip-off hotline)
  • started using a password manager
  • created easy-to-remember-but-hard-to-guess passwords
  • started forwarding mails from the affected account to a more safe mail service
  • learned about 2FA
  • wrote down all the sites and services the affected address is used with, in order to swiftly be able to close my account

Since there are many good answers I will wait a few days and mark the one with the most up-votes as the final answer. Thanks for your help!

pat3d3r
  • 301
  • 2
  • 6
  • Are you using a secure password, possibly with the help of a password manager? – SaAtomic Jul 25 '17 at 08:15
  • 9
    between 8 to 32 failed attempts ? Probably bots spamming dictionnaries attacks with the most common passwords, if you have a decent password, 30 try every day would make 30 000 in 3 years (assuming all tries are differents) so it's unlikely that you could get your mail hacked. This should give you way enough time to finish what you want before moving to another address. – Walfrat Jul 25 '17 at 08:18
  • 17
    Have you reported this to gmx support? – Tom K. Jul 25 '17 at 08:25
  • 4
    @Tom Already sent an email, waiting for their reply. – pat3d3r Jul 25 '17 at 08:47
  • @SaAtomic Not yet, but in light of this recent event I will turn to using a password manager. – pat3d3r Jul 25 '17 at 08:48
  • Can you give us a screenshot of the alert or warning. – mootmoot Jul 25 '17 at 11:25
  • There will **always** be *someone* trying to access your account. I manage my own mail server and I always see authentication attempts from anywhere in my logs. Throttled to avoid being banned by `fail2ban`. I gave up and relied on my strong password. End of the story – usr-local-ΕΨΗΕΛΩΝ Jul 25 '17 at 11:30
  • @mootmoot Currently I do not get the warning, so I am not able to produce a screenshot. But, after reading your answer, I can assure you that it is not about an email. The warning shows up on the start page, below my account details (mail address, time and date of last successfull log-in). Also, if I purposely mistype my password, the corresponding message of the failed log-in shows up at the exact same spot. So I do not think the alert itself is a scam. – pat3d3r Jul 25 '17 at 11:32
  • 12
    Perhaps it's actually one of your applications that's still using an outdated password? – CodesInChaos Jul 25 '17 at 15:18
  • How long is your username? If your username is short it may be that somebody has guessed your username. Of course for most mail services the username can be derived from the email address, so if your email address was ever in the wrong hands login attempts could happen even if your username is not guessable. – kasperd Jul 25 '17 at 21:09
  • @CodesInChaos The account was not linked to any other service or app up until I started forwarding mails yesterday. But at my workplace something like that happend frequently for some time, when people changed their account passwords on the computer and forgot to update it on their company cell phones. Led to a lot of locked accounts because of repeated requests using the old password. So for anyone having the same problem, it is worth looking into this direction. – pat3d3r Jul 26 '17 at 06:31
  • 3
    A practical note: Against password guessing it is quite pointless to change your password every day if it is already strong and not re-used. The chance that someone significantly zoomed in on it with a few hundred guesses is neglectable compared to the chance that you make a mistake/compromise your password whilst changing it for the 10th time in a row. – Dennis Jaheruddin Jul 26 '17 at 08:21
  • @DennisJaheruddin I realised that yesterday, after going to the suggestions here. I have chosen a strong password and will stick to it. – pat3d3r Jul 26 '17 at 08:27

5 Answers5

23

As far as I can tell, gmx does currently not offer 2FA. That is unfortunate but not necessarily catastrophic.

Do you have to use the address to send e-mail? If not you might be able to get around the problem by just forwarding incoming mail to another account, preferably one with 2FA enabled. After you set up a forwarding rule, you can put a really, really long and secure password (50+chars) on the account and save it somewhere safe.

Otherwise you'll probably have no real chance to secure the account itself.

You are currently using passwords with a length greater than 20 chars, I hope? If not, start doing so immediately. Use a password safe so you don't have to memorize them.

Also, please get the gmx security team involved. Probably it's just skiddies or bots (I had an attack like that on an old address I don't use anymore) but if not they might be thankful for a hint.


Note that I mentioned using a long password and not one drawing from a large character set.

The complexity of the character set does not by itself make your password better. Length runs circles around complexity while juggling chainsaws.

See this relevant xkcd comic for a visual explanation.

NotThatGuy
  • 698
  • 5
  • 7
David Mändlen
  • 402
  • 2
  • 7
  • Your last comment isn't stictly true, what if a password was 'aaaaaaaaa' (9 chars) as opposed to 't6QP7!@M' (8 chars) – joedamarsio Jul 25 '17 at 08:16
  • 19
    Please dont [start](https://www.troyhunt.com/im-sorry-but-were-you-actually-trying/) [this](https://security.stackexchange.com/questions/93611/password-rules-should-i-disallow-leetspeak-dictionary-passwords-like-xkcds-t/) [again](https://security.stackexchange.com/questions/6095/xkcd-936-short-complex-password-or-long-dictionary-passphrase/). – Tom K. Jul 25 '17 at 08:23
  • 8
    @joedamarsio: a brute force attack will probably try to exhaust 8 char passwords before 9 char ones, so 't6QP7!@M' could be cracked before 'aaaaaaaaa' - but I am not advising to use 'aaaaaaaaa' as a password because all attacks are not just *brute force*! – Serge Ballesta Jul 25 '17 at 08:32
  • 5
    @joedamarsio this is why I put "by itself" into the edit ;) You're of course right, 'aaaaaaaaa' would be a stupid password. But this is not something I expect from someone who asks here about what to do to secure their account. But then again, expect the unexpected... – David Mändlen Jul 25 '17 at 08:33
  • Currently my password is 20+ chars long, and in accordance with sites linked here. I also went about forwarding it to a GMail account, thank you for this advice. – pat3d3r Jul 25 '17 at 08:42
  • 2
    "Otherwise you'll probably have no real chance to secure the account itself"... if not using a 50+ char password? At 32 tries per day, will take 6 billion years to break a only-letters, lowercase password of 10 numbers. Speed it up to 86400 tries per day (one per second) and it'll take 2 million years. – woliveirajr Jul 25 '17 at 14:18
  • 1
    I get what you're trying to say, but you might want to at least rephrase "complexity of the character set does not by itself make your password better", because that's somewhere between blatantly false and heavily dependent on how one attempts to crack the password (ignoring all other factors, i.e. "by itself", brute-forcing an n-character password gets significantly harder if you extend the character set, but going longer is indeed way better). I'd probably go for "simply increasing the character set is not a good way to make your password better". – NotThatGuy Jul 25 '17 at 15:04
14

You don't need to close your account. An email address is a public information, just like an address. You wouldn't envisage to move because someone checked that your house door is correctly closed, would you?

You best move is to ensure that you are using a good password to protect your account.

People may sometimes have a wrong comprehension of what a "good password" may be, here are two links which will give you more insight about this:

The most important is to use a password:

  • Which is not easily guessable.
  • Which is you are not using at any other place.

Also, if there is any "security question" associated to this account (the process allowing to recover a forgotten by password by answering previously configured questions such as "What is your childhood city?"), you may as well either disable this system (recommended) or at least ensure that the answers provide at least the same level of security as a password (usually not the case, by design).

The attacker is attempting what is called a brute-force attack in which he is successively attempting hundreds, if not thousands of probable passwords. "Probable passwords" may range from passwords often used by people ("letmein", "12345", ...), dictionary words ("goodcoffee", ...), possibly words related to you (words derived from you login, gathered from your blog or other public resources, etc.).

As soon as you are using a good password, all these attempts will be moot by definition and your account will therefore remain secure. Expect for such attack to last for a few week, until the attack considers it is not profitable anymore and switch to another target.

In case this attack may be personal, apply the same process to you other passwords (personal computer, social media, etc.), check that your have applied any available update to your other systems (apply update to your computer, to your blog software if you administrate it, etc.) and pay a special attention to not click on a link or open a file provided in any suspicious email or message (blog comment, messenger notification, social media message, etc.).

But often such attack has nothing personal, it is just coming from attackers scanning random email addresses to find low hanging fruits (there are various ways for an attacker to take advantage and monetize a hacked email address).

WhiteWinterWolf
  • 19,142
  • 4
  • 59
  • 107
  • I may be overreacting from my lack of experience, this is true. But one can never be too cautious, especially on the internet. So I will go through the links provided in your answer in order to make it as hard as possible to break into my account. – pat3d3r Jul 25 '17 at 08:46
  • 3
    Receiving a "Security notification alert", especially coming from a service which is important for us, is always impressive (and it is made to be so, so people take a few time to think about it instead of ignoring it as some ad and then be sorry). Given the amount of misconceptions on the Internet which ranges from *"attackers would never guess my first pet name so I'm safe"* to *"hackers are gods who can enter everywhere they want, I'm doomed!"*, it is often hard to achieve a realistic approach. Congratulation for keeping a cool head and simply *informing* yourself :) ! – WhiteWinterWolf Jul 25 '17 at 09:00
  • 4
    If there were several attempts a day to open my door, I would freak out much more than after reading, say, sshd logs. – Carsten S Jul 25 '17 at 18:32
  • 1
    @pat3d3r: yes, *you can be too cautious*, even on the internet. If the cost of your security counter-measures exceeds the cost of getting hacked, for example, then you'd be better off just getting hacked (or stop using the internet entirely, which again might be considered too cautious since it's so high-cost). – Steve Jessop Jul 26 '17 at 14:20
5

I think there are two important points missing from the other answers that have been posted, I listed these in points two and three in this answer.

First of all, yes, change your password to a long, strong password. This topic is extensively covered on this site. It shouldn't take you more than a minute to find other good questions regarding this topic.

Second of all, prep your account if there is a break-in. If I understand you correctly, you are planning to change accounts (and in my opinion you should). Start now, because this is not a 5 second process. Donwload and encrypt all your mails and delete them afterwards, especially those containing important information. Identify all services linked to this mail adress and change your account information. Send a letter or a mail to gmx asking to delete all further saved data regarding this account and say goodbye forever.

Third of all, create a new account, with 2FA (2-factor authentication). As WhiteWinterWolf pointed out in his comment

2FA protects you against an attacker who already knows your password

Additionally it makes bruteforcing your login credentials much harder, because an attacker not only has to guess your password but also your second factor.

On a sidenote: IMHO a good mail provider forbids this many tries to log in to your account. Ideally this would set off some form of security protocol that either blocks the attacker if possible or at least would give the affected user some more details about what is happening.

After creating your new account, start redirecting used services there. You should also choose a provider that enables you to use some kind of encryption for your mails. Don't use big mail providers like gmail or yahoo. As product recommendations are not encouraged here, I would advise to research this a bit and to choose a secure mail provider who respects e-mail privacy.

WhiteWinterWolf said in his answer:

You wouldn't envisage to move because someone checked that your house door is correctly closed, would you?

Well, I would move if I can't close the door lock properly, every now and then other people would check my mails for malicious content and every day people would try to screw with my lock.

Tom K.
  • 7,965
  • 3
  • 30
  • 53
  • 3
    If the attacker is trying to bruteforce email users password, this means that they are not in measure to target GMX core infrastructure and have not access to the users password hash database. Using a reasonably strong password just makes remote brute-force attack completely moot, effectless, without any hope of success would they continue each day during dozens of years. It is common for anyone hosting online services to have such scans every weeks, if not everyday. As long as a sane security posture is being kept, I see no reason to run away. – WhiteWinterWolf Jul 25 '17 at 09:10
  • This is a fair point if we assume that this is a non-targeted attack. If it is not, it is just a matter of time until other measures are taken against the security of OP's e-mail account. I would always assume that the probability of the second scenario being the or - maybe more importantly - becoming the case, is fairly high. If you cannot use 2FA for your mail account, then gmx provides below average account security. Therefore you should move your account. – Tom K. Jul 25 '17 at 09:16
  • 2FA protects you against an attacker *who already knows* your password (maybe because you used it elsewhere or he captured your keystrokes using a trojan). Thanks to 2FA, this knowledge will not grant the attacker any access to the protected ressource (here the mailbox). This is obviously not the case here. If this is a targeted attack, attacker's next move will be to both attempt to get control of secondary, less important accounts and escalate from there, and send targeted phishing email (if possible by impersonating a sender known to the OP) loaded with the afore mentioned trojan. – WhiteWinterWolf Jul 25 '17 at 10:50
  • Edited my answer. Also: we can't possibly know what an attacker might do in the future. IMHO there are several reasons to change mail providers, but this is only my advice. If OP plans on staying with gmx (which as I said in my answer does not seem to be the case), he can always do that, but should definitely take step 2. – Tom K. Jul 25 '17 at 11:58
-1

(answer rewrite)

After the reminder by @schroeder, I go Googling GMX freemail features. It seems the alert features is a plausible security feature.

Do check whether there are some action interaction features associated.

In Google, when I try to login from "stranger IP", e.g. activate VPN and open google there, Google will give me a warning notification on my next login using a common connection. Although I can remove access from mentioned mobile devices shown by Google by resetting the password, Google doesn't mention what happens when you act upon stranger IP, I assume google might throw out something after first fail login attempt, e.g. with captcha or something else to create havoc to botnet.

So for the GMX freemail case, check the alert and see there is some button like "I did not login from this address". It will let the webmail system know how to deal with bruteforce email login from "stranger-address".

mootmoot
  • 2,397
  • 10
  • 16
-3

Use a strong password is enough to avoid brute force attack.

To be strong, passwords must contain characters from three of the following five categories (ref. https://technet.microsoft.com):

  • Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
  • Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
  • Base 10 digits (0 through 9)
  • Nonalphanumeric characters: ~!@#$%^&*_-+=|\(){}[]:;"'<>,.?/
  • Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.
schroeder
  • 125,553
  • 55
  • 289
  • 326
Roberto
  • 3
  • 1