Information on securing a ZAP account
Introduction
Your account with us gives you access to your services, so security is very important - especially nowadays. We try to do what we can to protect you. For example, we offer rewards for reporting vulnerabilities to whitehat hackers in our bug bounty program. However, there are two sides to the security of your account, so here is some information on how you can better protect your account.
Secure passwords
Your password is a central part of checking whether a person can have access to your account or not. This makes it important to design your password so that it is not used by others (e.g. typical passwords such as 123456), has a certain minimum length and complexity and cannot be guessed by information about you and yourself (e.g. birth dates).
You can invent a solid password, for example, by forming a sentence.
I like to take long walks in the winter wonderlands, wearing a mask because its around 20 degrees**!**
If you put together the first letters of the words, punctuation marks and numbers, you have a difficult-to-guess password with a certain complexity, which can be remembered by the sentence: Ilttlwitwwwambia20d.
If, as recommended in the next step, you use a password manager, you can usually generate a good password there and do not have to remember it.
Use passwords only once
A secure password makes it harder for attackers to gain access to your account automatically or in installments. However, at best it is important not to use a password more than once, i.e. on different websites and services. If there is a security problem with one of the providers and websites you are using and your password falls into the wrong hands, your accounts with other websites are also at risk. Accordingly, it makes sense to use a different password for each page. In order not to confuse or forget the passwords, a password manager such as KeePass or 1Password is recommended.
Tip: At haveibeenpwned you can check your email address free of charge to see whether it is contained in a known leak in a database. You will also receive information on which side the incident took place and which data was stolen.
Account Settings
In addition to 2-Factor Authentication you can also deactivate OneClick Login in the Security tab in your account. In some e-mails we send links through which you can be logged in with a click and directed to the relevant page in the respective context. Basically, you don't send sensitive information via email. Accordingly, it makes sense for accounts with access to important services to switch off the function if necessary.
I was hacked
Should you nevertheless fall victim to an attack in which unauthorized persons gain access to your account, we have implemented systems to minimize the damage and help you to get the situation under control as quickly as possible.
The email address stored in your account can only be changed for confirmed accounts if both email addresses (current email address and desired new address) confirm the change. Accordingly, as soon as you notice any inconsistencies, you can immediately reset your password with your current email address. If a password is changed, all existing sessions are asked to log in again. This should allow you to quickly lock out the attacker.
In the case of ambiguities and other questions, we are of course always happy to be there for you in support to help in an emergency where we can.