Why check your email in haveibeenpwned rather than regularly changing your password regardless of any leaks?

66

There's a lot of news right now about haveibeenpwned but I don't understand why people need a service like that in first place. If you're a security conscious user, you'd change your passwords regularly on any website that matters (banking, email, paid services) and thus leaks would not affect you in the first place. By 'changing your password' I refer to creating a randomly generated password string for each service, not the enforced changing of passwords in corporate environments.

So why are people so interested in using haveibeenpwned? Why not follow the right security practices regardless of any leaks?

passwords password-policy have-i-been-pwned

share|improve this question

edited Jan 25 at 13:07

Pureferret

92631011

asked Jan 19 at 19:08

JonathanReezJonathanReez

530148

• 
  
  
  

  
  9
  

  
  
  
  
  
  

  
  
  I think what you're asking has to do with using, for example, a new randomly generated password on your own volition, NOT the outdated IT policy forcing users to set a new password regularly. These are very different practices. The former is still very much advised. You may want to call this out specifically.
  
  – Matthew FitzGerald-Chamberlain
  Jan 19 at 23:20
  

  
  
  
  


• 
  
  
  

  
  26
  

  
  
  
  
  
  

  
  
  It's not "either-or". haveibeenpwned is an information service. You still need to follow security best practises.
  
  – MrWhite
  Jan 21 at 10:06
  

  
  
  
  


• 
  
  
  

  
  14
  

  
  
  
  
  
  

  
  
  this feels like "i drive very careful, why is there such a fuss with that big car crash"
  
  – Serverfrog
  Jan 21 at 17:02
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Or both. I use unique passwords [sometimes also emails) so I don’t care much, but I do get alerted about companies Which leaked my data (and might not have notified me). That’s an valuable service. Besides HIBP also allows to monitor a whole email domain, which is good for admins.
  
  – eckes
  Jan 22 at 3:14
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  "on any website that matters" ... perhaps they want to know about all those other websites which required registration, but don't matter enough to bother with changing password regularly?
  
  – A C
  Jan 22 at 15:31
  

  
  
  
  

 | 
show 1 more comment

66

There's a lot of news right now about haveibeenpwned but I don't understand why people need a service like that in first place. If you're a security conscious user, you'd change your passwords regularly on any website that matters (banking, email, paid services) and thus leaks would not affect you in the first place. By 'changing your password' I refer to creating a randomly generated password string for each service, not the enforced changing of passwords in corporate environments.

So why are people so interested in using haveibeenpwned? Why not follow the right security practices regardless of any leaks?

passwords password-policy have-i-been-pwned

share|improve this question

edited Jan 25 at 13:07

Pureferret

92631011

asked Jan 19 at 19:08

JonathanReezJonathanReez

530148

• 
  
  
  

  
  9
  

  
  
  
  
  
  

  
  
  I think what you're asking has to do with using, for example, a new randomly generated password on your own volition, NOT the outdated IT policy forcing users to set a new password regularly. These are very different practices. The former is still very much advised. You may want to call this out specifically.
  
  – Matthew FitzGerald-Chamberlain
  Jan 19 at 23:20
  

  
  
  
  


• 
  
  
  

  
  26
  

  
  
  
  
  
  

  
  
  It's not "either-or". haveibeenpwned is an information service. You still need to follow security best practises.
  
  – MrWhite
  Jan 21 at 10:06
  

  
  
  
  


• 
  
  
  

  
  14
  

  
  
  
  
  
  

  
  
  this feels like "i drive very careful, why is there such a fuss with that big car crash"
  
  – Serverfrog
  Jan 21 at 17:02
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Or both. I use unique passwords [sometimes also emails) so I don’t care much, but I do get alerted about companies Which leaked my data (and might not have notified me). That’s an valuable service. Besides HIBP also allows to monitor a whole email domain, which is good for admins.
  
  – eckes
  Jan 22 at 3:14
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  "on any website that matters" ... perhaps they want to know about all those other websites which required registration, but don't matter enough to bother with changing password regularly?
  
  – A C
  Jan 22 at 15:31
  

  
  
  
  

 | 
show 1 more comment

66

66

66

17

There's a lot of news right now about haveibeenpwned but I don't understand why people need a service like that in first place. If you're a security conscious user, you'd change your passwords regularly on any website that matters (banking, email, paid services) and thus leaks would not affect you in the first place. By 'changing your password' I refer to creating a randomly generated password string for each service, not the enforced changing of passwords in corporate environments.

So why are people so interested in using haveibeenpwned? Why not follow the right security practices regardless of any leaks?

passwords password-policy have-i-been-pwned

share|improve this question

edited Jan 25 at 13:07

Pureferret

92631011

asked Jan 19 at 19:08

JonathanReezJonathanReez

530148

There's a lot of news right now about haveibeenpwned but I don't understand why people need a service like that in first place. If you're a security conscious user, you'd change your passwords regularly on any website that matters (banking, email, paid services) and thus leaks would not affect you in the first place. By 'changing your password' I refer to creating a randomly generated password string for each service, not the enforced changing of passwords in corporate environments.

So why are people so interested in using haveibeenpwned? Why not follow the right security practices regardless of any leaks?

passwords password-policy have-i-been-pwned

passwords password-policy have-i-been-pwned

share|improve this question

edited Jan 25 at 13:07

Pureferret

92631011

asked Jan 19 at 19:08

JonathanReezJonathanReez

530148

share|improve this question

edited Jan 25 at 13:07

Pureferret

92631011

asked Jan 19 at 19:08

JonathanReezJonathanReez

530148

share|improve this question

share|improve this question

edited Jan 25 at 13:07

Pureferret

92631011

edited Jan 25 at 13:07

Pureferret

92631011

edited Jan 25 at 13:07

Pureferret

92631011

92631011

asked Jan 19 at 19:08

JonathanReezJonathanReez

530148

asked Jan 19 at 19:08

JonathanReezJonathanReez

530148

asked Jan 19 at 19:08

JonathanReezJonathanReez

530148

530148

• 
  
  
  

  
  9
  

  
  
  
  
  
  

  
  
  I think what you're asking has to do with using, for example, a new randomly generated password on your own volition, NOT the outdated IT policy forcing users to set a new password regularly. These are very different practices. The former is still very much advised. You may want to call this out specifically.
  
  – Matthew FitzGerald-Chamberlain
  Jan 19 at 23:20
  

  
  
  
  


• 
  
  
  

  
  26
  

  
  
  
  
  
  

  
  
  It's not "either-or". haveibeenpwned is an information service. You still need to follow security best practises.
  
  – MrWhite
  Jan 21 at 10:06
  

  
  
  
  


• 
  
  
  

  
  14
  

  
  
  
  
  
  

  
  
  this feels like "i drive very careful, why is there such a fuss with that big car crash"
  
  – Serverfrog
  Jan 21 at 17:02
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Or both. I use unique passwords [sometimes also emails) so I don’t care much, but I do get alerted about companies Which leaked my data (and might not have notified me). That’s an valuable service. Besides HIBP also allows to monitor a whole email domain, which is good for admins.
  
  – eckes
  Jan 22 at 3:14
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  "on any website that matters" ... perhaps they want to know about all those other websites which required registration, but don't matter enough to bother with changing password regularly?
  
  – A C
  Jan 22 at 15:31
  

  
  
  
  

 | 
show 1 more comment

• 
  
  
  

  
  9
  

  
  
  
  
  
  

  
  
  I think what you're asking has to do with using, for example, a new randomly generated password on your own volition, NOT the outdated IT policy forcing users to set a new password regularly. These are very different practices. The former is still very much advised. You may want to call this out specifically.
  
  – Matthew FitzGerald-Chamberlain
  Jan 19 at 23:20
  

  
  
  
  


• 
  
  
  

  
  26
  

  
  
  
  
  
  

  
  
  It's not "either-or". haveibeenpwned is an information service. You still need to follow security best practises.
  
  – MrWhite
  Jan 21 at 10:06
  

  
  
  
  


• 
  
  
  

  
  14
  

  
  
  
  
  
  

  
  
  this feels like "i drive very careful, why is there such a fuss with that big car crash"
  
  – Serverfrog
  Jan 21 at 17:02
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Or both. I use unique passwords [sometimes also emails) so I don’t care much, but I do get alerted about companies Which leaked my data (and might not have notified me). That’s an valuable service. Besides HIBP also allows to monitor a whole email domain, which is good for admins.
  
  – eckes
  Jan 22 at 3:14
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  "on any website that matters" ... perhaps they want to know about all those other websites which required registration, but don't matter enough to bother with changing password regularly?
  
  – A C
  Jan 22 at 15:31
  

  
  
  
  

9

9

I think what you're asking has to do with using, for example, a new randomly generated password on your own volition, NOT the outdated IT policy forcing users to set a new password regularly. These are very different practices. The former is still very much advised. You may want to call this out specifically.

– Matthew FitzGerald-Chamberlain
Jan 19 at 23:20

I think what you're asking has to do with using, for example, a new randomly generated password on your own volition, NOT the outdated IT policy forcing users to set a new password regularly. These are very different practices. The former is still very much advised. You may want to call this out specifically.

– Matthew FitzGerald-Chamberlain
Jan 19 at 23:20

26

26

It's not "either-or". haveibeenpwned is an information service. You still need to follow security best practises.

– MrWhite
Jan 21 at 10:06

It's not "either-or". haveibeenpwned is an information service. You still need to follow security best practises.

– MrWhite
Jan 21 at 10:06

14

14

this feels like "i drive very careful, why is there such a fuss with that big car crash"

– Serverfrog
Jan 21 at 17:02

this feels like "i drive very careful, why is there such a fuss with that big car crash"

– Serverfrog
Jan 21 at 17:02

1

1

Or both. I use unique passwords [sometimes also emails) so I don’t care much, but I do get alerted about companies Which leaked my data (and might not have notified me). That’s an valuable service. Besides HIBP also allows to monitor a whole email domain, which is good for admins.

– eckes
Jan 22 at 3:14

Or both. I use unique passwords [sometimes also emails) so I don’t care much, but I do get alerted about companies Which leaked my data (and might not have notified me). That’s an valuable service. Besides HIBP also allows to monitor a whole email domain, which is good for admins.

– eckes
Jan 22 at 3:14

3

3

"on any website that matters" ... perhaps they want to know about all those other websites which required registration, but don't matter enough to bother with changing password regularly?

– A C
Jan 22 at 15:31

"on any website that matters" ... perhaps they want to know about all those other websites which required registration, but don't matter enough to bother with changing password regularly?

– A C
Jan 22 at 15:31

 | 
show 1 more comment

10 Answers
10

active

oldest

votes

140

Your question contains several false assumption:

• 
  

  If you're a security conscious user, you'd change your passwords regularly on any website that matters

  
  

According to my password manager I have more than hundreds of accounts and most of them would do harm to me if compromised. Changing all of them regularly (like every 90 days) is a huge amount of work. So I use strong passwords generated by the password manager instead. But some services still save passwords in clear text.

• 
  

  and thus leaks would not affect you in the first place.

  
  

Let's say I would change every password every 90 days. There is still the possibility that there are 89 days where my account is compromised and the attacker has time to do anything including changing my password. When you know your account is in the list, you can act instantly.

• 
  

  Why not follow the right security practices regardless of any leaks?

  
  

See previous point.

• 
  

  So why are people so interested in using haveibeenpwned?

  
  

To know which accounts are affected and to figure out which service got hacked/where the accounts came from.

With this knowledge:

• I can change the password instantly.


• I know which service is less trustworthy for sensitive data, money, ... and I might close my activity at this service.


• If this service has a messaging system I know to be more alert of messages from "friends" because the account might be stolen.


• I know which of my data might be compromised (data at the hacked service).

share|improve this answer

edited Jan 22 at 10:25

Benoit Esnard

7,80444251

answered Jan 20 at 12:13

H. IddenH. Idden

2,7241715

• 
  
  
  

  
  33
  

  
  
  
  
  
  

  
  
  "To know which accounts are affected and to figure out which service got hacked/where the accounts came from." just to further this - you can have accounts you forgot you made. Like an account you made to post on some forum 15 years ago and never used since. Alternatively, you could have accounts you never knew about. It could happen if an old service you used changes hands and is rebranded, for example, or merged with another one. I've certainly started receiving newsletters from services I never knew existed because some other account I had was subsumed there. Knowing is half the battle.
  
  – VLAZ
  Jan 21 at 11:11
  

  
  
  
  


• 
  
  
  

  
  11
  

  
  
  
  
  
  

  
  
  The most important points here are the parts not related to passwords. Changing your password regularly lets you be pretty confident that your accounts are not compromised... but it gives you no information. When a service is compromised, changing your password might not be the only action you need to take. You might want to cancel bank cards, check your account's recent activity for things you don't remember doing, alert your friends to not trust messages from you, check your cloud backups for attempts to add malicious files, or many other things that can be vitally important.
  
  – anaximander
  Jan 21 at 16:06
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @vlaz this is an excellent point - and in fact, one of my e-mail addresses showed up as having been compromised on a site that I don't recall ever giving my e-mail address to (although I could have easily used a one-off). In which case, I'm not really sure what action I could take anyway.
  
  – Michael
  Jan 21 at 23:30
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @vlaz From experience I can definitely say that this is rampant on online job agency/advertisement websites and services, and when you consider the amount of personal info people submit to these things (on CVs, template cover letters etc.) this is really something to be concerned about.
  
  – DoctorPenguin
  Jan 22 at 15:23
  
  
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  @JonathanReez it's possible that in the past 10 years people began using unique passwords. For example, when I was a teenager I didn't. There have been accounts I'd forgotten existed that had "my password" that were leaked. Now I do use unique passwords, but it's still good to know about those ancient accounts being compromised and "my password" being known.
  
  – Captain Man
  Jan 22 at 19:40
  

  
  
  
  

 | 
show 4 more comments

67

Changing passwords often is not considered a best practice anymore.

People are interested in HIBP because it centralizes information regarding breaches and makes it easily accessible. Not everyone is a security conscious user, but the information is valuable to all users because regardless of your password age practice the password should be changed immediately upon knowledge of a breach.

share|improve this answer

answered Jan 19 at 20:18

theythey

895117

• 
  
  
  

  
  25
  

  
  
  
  
  
  

  
  
  Forcing people to change their passwords is not best practice anymore. Doing it by yourself is always good practice.
  
  – JonathanReez
  Jan 19 at 20:34
  

  
  
  
  


• 
  
  
  

  
  33
  

  
  
  
  
  
  

  
  
  This has been discussed before: security.stackexchange.com/questions/186780/… Since it is stated well "The only other reason to change passwords on a schedule is to comply with outdated policies which are resistant to change, such as the PCI DSS requirements regarding passwords: 8.2.4 Change user passwords/passphrases at least once every 90 days. This is not a security issue but a compliance issue. When faced with a regulation which essentially has the force of law, compliance unfortunately must trump security."
  
  – they
  Jan 19 at 20:39
  
  
  

  
  
  
  


• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  The main reason that changing passwords is not advised is because it imposes extra work on the user, and it was noted than in practice, this simply encourages most users to reduce that workload by making it easy to do, which they usually achieve by using patterns (password1, password2, password3 etc) and choosing shorter, easier-to-remember passwords, both of which make the password weaker. If you're a security conscious user who always uses a password manager to generate sufficiently secure passwords, then frequently changing your passwords will make your accounts more secure.
  
  – anaximander
  Jan 21 at 16:10
  

  
  
  
  


• 
  
  
  

  
  8
  

  
  
  
  
  
  

  
  
  @anaximander I disagree. Frequently changing passwords when you are choosing strong passwords is mainly security theater and unnecessary work. If you use strong and unique passwords then the only thing that changing your password protects you from is your password getting leaked by that one third party service. However, the longer time frame of password changes (90 days) still leaves plenty of time for damage to be done, and if it is caused by weaknesses in the third party platform, then changing your password might not help anyway.
  
  – Conor Mancone
  Jan 21 at 16:22
  

  
  
  
  


• 
  
  
  

  
  6
  

  
  
  
  
  
  

  
  
  @anaximander I think it is much more valuable to look at this from a "threat model" standpoint than make blanket statements (i.e. change your passwords every 90 days). As a for instance, I can guarantee you that no one is going to spend 90 days trying to brute force your password, unless that password is the only thing standing between them and tens of thousands of dollars of crypto currency. So sure, if you have a million dollar online cryptocurrency trading account, feel free to change your password every 90 days. But for 95% of your online accounts, its just a waste of time.
  
  – Conor Mancone
  Jan 21 at 17:50
  

  
  
  
  

 | 
show 10 more comments

32

Changing passwords regularly actually tends to reduce security, as people end up using repeated patterns.

The recommendations are to use strong passwords, unique to each service, and only change when a compromise is suspected.

HIBP gives that notification of compromise.

share|improve this answer

answered Jan 19 at 22:02

Rory Alsop♦Rory Alsop

57.3k11104298

• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  It's not just repeated pattern. If I switch from "supersecurepassword" to "supersecurepassword1", ...2, ...3 that's pointless but not worse than not changing. The problem is that people change from "supersecurepassword" to "supersecure1" and 24 months later to "super24" because they just can't be bothered, so secure passwords are replaced with less secure ones.
  
  – gnasher729
  Jan 20 at 14:05
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  In running password audits over a few years with a few thousand employees at various organisations, I can tell you the repeated patterns are incredibly common. Most are incrementing final digit. Some are change month or season name.
  
  – Rory Alsop♦
  Jan 20 at 17:47
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  @LightnessRacesinOrbit: That was my first reaction to the idea. But several years ago it was pointed out to me that these tests are done during the password change process -- the new password needs to be in the clear during that process, but it never needs to be stored that way.
  
  – Ben Voigt
  Jan 20 at 20:18
  

  
  
  
  


• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  @lightness - password strength audits. Not what Ben suggested. Simply put, brute force of SAM file, then reporting on how many were a dictionary word, or "password" or football teams or holiday destinations etc. Not associated with user accounts, despite some organisations asking us for them - just a very useful way to give statistics
  
  – Rory Alsop♦
  Jan 20 at 20:31
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @RedGrittyBrick HIBP do now offer a service to check if passwords have been pwned, by hash. This is their new pwnedpasswords service.
  
  – James_pic
  Jan 21 at 12:12
  

  
  
  
  

 | 
show 10 more comments

7

It comes in handy when your email address has been exposed but not as part of a credentials set. As an example, I had an email address included in a breach but I didn't have an account with that service/product, the breach was actually on a marketing tool used by a service/product that I was using and my email address had been added to the tool for marketing purposes.

Knowing my email address had been exposed in that way, I knew to keep an eye out for increased spam and phishing attempts.

share|improve this answer

answered Jan 20 at 0:37

AaronAaron

792

add a comment | 

4

There's an option to monitor entire domains. This is very useful as not everyone in the company are equally aware nor cares as much. With such notification, as an administrator, you can e.g. force additional password changes for users with new leaked passwords.

Also, increasing awareness is important in itself.

share|improve this answer

answered Jan 19 at 20:03

Esa JokinenEsa Jokinen

1,998613

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  +1 for the "increasing awareness" use of HIBP. I often suggest people look themselves up. It opens their eyes.
  
  – O. Jones
  Jan 25 at 11:40
  

  
  
  
  

add a comment | 

3

All the other answers talk about what best practises are. But let's take the question at facevalue: "Why do people not use best practises (whatever they may be), and instead use this website".

The biggest problem in security is the human element. It's human nature. To improve security you have to take it into account.

You write in the question: "A security concious user would", but then you ask "why are people so interested in using haveibeenpwned?".
Well, thats because a lot of people who are interested in the service are NOT security concious.
Maybe they are somewhat concious, maybe they have just heard on facebook about this neet website.

If I tell my mom to "follow the right security practices" (and explained them) she would do nothing.

If I tell my mom to check that website for the one password/email she uses everywhere, and it shows her that it's compromised, she will probably atleast change it once on important websites.

In the end it's a tradeoff for the user.

If he never had an account hacked and felt the impact he will see the risk as very low, and the cost to follow best practises as very high.

Checking haveibeenpwned on the other hand is very low cost. And checking it in and of itself gives you a better risk assesment. If you are compromised you now know that the risk to you is high, so it's more likely that they will follow better practises after visiting the website.

So, it's easier and more convienient, and therefore more likely to go viral. This is something I can share, and security illiterate people can use and feel good about and share too. It's also a gateway to good security practises.

share|improve this answer

edited Jan 22 at 19:00

answered Jan 22 at 18:55

LichtbringerLichtbringer

349137

add a comment | 

2

Why not follow the right security practices regardless of any leaks?

Because regularily changing your passwords is not a right security practice. It is a hack and work-around.

The proper security practice would be to change your password whenever you have reasons to believe that it has been compromised. I've had root passwords unchanged for a decade because there was never ever any reason to suspect a compromise has occurred, so it would have been a nonsense to create the cost of a password change (however small) for no reason.

The advise to regularily change passwords is what we use when tracking possibility of compromise becomes difficult or expensive, and regular changing is simpler and cheaper than that. Basically, the reasoning is: "If I don't have a clue about the probability of my password being compromised, I'll just take a statistical average and err on the side of caution".

So when actual evidence - such as havibeenpwned - appears, it is always preferable to use the actual data over any guesstimated heuristics.

---

addendum:

If you search a little, you can find plenty of publications advocating against regular password changes for no good reason. Disclaimer: Some of them are mine. This nonsense might be a common practice, but that a) doesn't make it a good practice and b) still doesn't mean it can hold a candle to actual data.

share|improve this answer

answered Jan 22 at 9:37

TomTom

5,421831

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Isn't the the point though, that neither you nor Troy Hunt does know about all security breaches? You speak about "actual evidence" but Hunt himself quotes the famous "Absence of evidence is not evidence of absence" in his FAQ and goes on with "just because your email address wasn't found here doesn't mean that is hasn't been compromised in another breach."
  
  – Tom K.
  Jan 22 at 10:21
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Absolutely. You can get positive evidence from it, but not negative. The whole problem is that 3rd party websites can be compromised and you'll never know because they hush it up. That is why I have different password policies for my own sites and 3rd party sites.
  
  – Tom
  Jan 22 at 18:50
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Tom his point is likely, that you can never be totally sure your machine/password has not been hacked. Your password might become compromised any minute. So the security cost of not changing your password is never 0. Not changing a password (or rarely) may still be a valid strategy, but the cost is still unknown even if it is your own machine. There is only "factual data" that indicates "you need to change your password now", but none that clearly indicates "you dond't need to change your password".
  
  – Frank Hopkins
  Feb 4 at 15:57
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yes, but it borders on paranoia to state that your password might be compromised right now... no, now... maybe now? how about right now? That's not a proper approach to assess the risk.
  
  – Tom
  Feb 4 at 16:33
  

  
  
  
  

add a comment | 

1

Changing passwords often can be good practice if you use a password manager. If not, it's a bad idea because you can not remember good passwords that easily.

A minority of people use a password manager. And even if you do use one, I suspect you don't change all your passwords that often. There are services I use once every two or three years. Or that I created an account for but might never use again. Would I go back there and change my password every month?

I have 50+ sites listed in my password manager. Changing all those passwords every month or so would just be to much work.

share|improve this answer

answered Jan 20 at 9:06

AndersAnders

49.4k22143161

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  "And even if you do use one, I suspect you don't change all your passwords that often." indeed - OP only mentions "passwords that matter". The problem that immediately arises is which accounts matter? Assuming unique passwords everywhere, you are safe from credential reuse but not from the information that can be leaked from other services. And any information leaked can be potentially useful. So, you have to change all passwords. But it's too much work, perhaps only the REALLY, really important ones need changing...so following this, you go into a spiral shaped rabbit hole.
  
  – VLAZ
  Jan 21 at 11:16
  

  
  
  
  

add a comment | 

1

To protect yourself against fraud

There's an alternative consideration I notice people haven't covered, one of which is identity fraud and impersonation of the compromised company, something of which changing a password will not protect you from.

For example, it's common for scammers to harvest leaked information and then pretend to be the company whose information was leaked by using the information they've obtained to convince you they 'legitimately' have access to your information. The ISP TalkTalk often sees scammers phoning up, pretending to be TalkTalk service engineers, regurgitating the stolen information as 'proof' they're authentic.

Likewise, being aware of which companies have had their details stolen allows you to be aware of which vectors scammers will try to use against you. For example, details for Adobe have been stolen, and it's quite possible a scammer could mail people whose accounts were on Adobe, a supposedly 'urgent update' to their Adobe software, that actually maliciously downloads and installs malware. Being aware that information has leaked from Adobe allows you to take additional precautions against that.

An alternative is if leaked information is about an activity you'd rather not have made public; you can then take reasonable steps to have that information scrubbed (such as deleting the account or changing email addresses).

So in summary; you would regularly check to make sure you know what other people (EG scammers, identity fraudsters, blackmailers etc) know about you.

share|improve this answer

answered Jan 21 at 12:02

SSight3SSight3

1492

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I largely disagree with this assertion. If you want to protect against identity fraud, there are more comprehensive services and packages you can buy from financial institutions to safeguard things like your credit and bank accounts.
  
  – Makoto
  Jan 24 at 18:33
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The example I gave was an ISP impersonation, which has nothing to do with financial fraud.
  
  – SSight3
  Jan 27 at 12:20
  

  
  
  
  

add a comment | 

0

I will go against the trend here and disagree with the other answers:

You should regularly change your passwords on a service that you do not trust to handle your data securely.

You can also regularly check your password manager for such sites and decide if you really need every one of them. If not: send an email to the service provider and ask for deletion of your account and all affiliated data.

The NIST guidelines that handles password states:

Verifiers SHOULD NOT require memorized secrets^{read: passwords} to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

Collection #1 - which is the reason for the recent buzz around haveibeenpwned.com and Troy Hunt - is an excellent example for the publication of evidence of compromise.

Why? Because it is not a new breach.

Brian Krebs, renowned security expert published a report, that claims, that all the data in there is at least two to three years old. His report furthermore contains this picture from a credible chat with a seller. A screenshot of all the other "Collections" (one through five) and two other huge databases that are sold with the claim, that they are full of working login credentials. All in all a terrabyte of raw data from one seller.

So what does "non-public publication"-age mean in this context? If you have a strong password and it is properly hashed, then no attacker will be able to crack it, no matter how long the password dump has been around. The problem is, a lot of sites do not properly hash your password. And here is where the NIST comes in again. They adapted their guidelines towards changing passwords, because it made no sense in respect to the part of the guideline that handled hashing passwords and storing hashes.

Verifiers SHALL store memorized secrets in a form that is resistant to offline attacks. Memorized secrets SHALL be salted and hashed using a suitable one-way key derivation function.

So what does it all mean?

Conclusion:

1. Premise 1: If a service is storing my password hash securely, arbitrary expiration dates of a password do not make much sense.


2. Premise 2: Hacks happen all the time, only a fraction get noticed and/or publicly disclosed.


3. But if a service does not hash your password properly - and a LOT of services do not do that - expiration dates of passwords do make sense.


4. How do I know which service stores my credentials securely? Some certificates give you some information about it. But even companies that seem very professional from the outside fail hard. Small companies perform very nicely sometimes. It's very hard to tell.


5. If hacks happen all the time, password breaches happen very often as well. As we have seen only a portion of the hacked password databases are searchable on haveibeenpwned.


6. So change your password regularly on sites you do not trust. Again with the caveat that you should use a password manager to avoid password reuse and if possible 2-factor authentification or multi factor authentication.

share|improve this answer

edited Jan 21 at 16:18

answered Jan 21 at 15:33

Tom K.Tom K.

6,55932451

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Expiration dates for poorly secured credentials only make sense for the purposes of protecting your other accounts against credential stuffing. And if you use unique and complex passwords in combination with a password vault, credential stuffing is much less likely to affect you.
  
  – Nzall
  Jan 22 at 13:45
  
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Credential stuffing is not the risk here. It is a) the leakage of data from an affected account and b) the possibility for an attacker to pivot from one account to another through social engineering.
  
  – Tom K.
  Jan 22 at 14:34
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

Thanks for contributing an answer to Information Security Stack Exchange!

• Please be sure to answer the question. Provide details and share your research!

But avoid …

• Asking for help, clarification, or responding to other answers.


• Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f201788%2fwhy-check-your-email-in-haveibeenpwned-rather-than-regularly-changing-your-passw%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

10 Answers
10

active

oldest

votes

10 Answers
10

active

oldest

votes

active

oldest

votes

active

oldest

votes

140

Your question contains several false assumption:

• 
  

  If you're a security conscious user, you'd change your passwords regularly on any website that matters

  
  

According to my password manager I have more than hundreds of accounts and most of them would do harm to me if compromised. Changing all of them regularly (like every 90 days) is a huge amount of work. So I use strong passwords generated by the password manager instead. But some services still save passwords in clear text.

• 
  

  and thus leaks would not affect you in the first place.

  
  

Let's say I would change every password every 90 days. There is still the possibility that there are 89 days where my account is compromised and the attacker has time to do anything including changing my password. When you know your account is in the list, you can act instantly.

• 
  

  Why not follow the right security practices regardless of any leaks?

  
  

See previous point.

• 
  

  So why are people so interested in using haveibeenpwned?

  
  

To know which accounts are affected and to figure out which service got hacked/where the accounts came from.

With this knowledge:

• I can change the password instantly.


• I know which service is less trustworthy for sensitive data, money, ... and I might close my activity at this service.


• If this service has a messaging system I know to be more alert of messages from "friends" because the account might be stolen.


• I know which of my data might be compromised (data at the hacked service).

share|improve this answer

edited Jan 22 at 10:25

Benoit Esnard

7,80444251

answered Jan 20 at 12:13

H. IddenH. Idden

2,7241715

• 
  
  
  

  
  33
  

  
  
  
  
  
  

  
  
  "To know which accounts are affected and to figure out which service got hacked/where the accounts came from." just to further this - you can have accounts you forgot you made. Like an account you made to post on some forum 15 years ago and never used since. Alternatively, you could have accounts you never knew about. It could happen if an old service you used changes hands and is rebranded, for example, or merged with another one. I've certainly started receiving newsletters from services I never knew existed because some other account I had was subsumed there. Knowing is half the battle.
  
  – VLAZ
  Jan 21 at 11:11
  

  
  
  
  


• 
  
  
  

  
  11
  

  
  
  
  
  
  

  
  
  The most important points here are the parts not related to passwords. Changing your password regularly lets you be pretty confident that your accounts are not compromised... but it gives you no information. When a service is compromised, changing your password might not be the only action you need to take. You might want to cancel bank cards, check your account's recent activity for things you don't remember doing, alert your friends to not trust messages from you, check your cloud backups for attempts to add malicious files, or many other things that can be vitally important.
  
  – anaximander
  Jan 21 at 16:06
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @vlaz this is an excellent point - and in fact, one of my e-mail addresses showed up as having been compromised on a site that I don't recall ever giving my e-mail address to (although I could have easily used a one-off). In which case, I'm not really sure what action I could take anyway.
  
  – Michael
  Jan 21 at 23:30
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @vlaz From experience I can definitely say that this is rampant on online job agency/advertisement websites and services, and when you consider the amount of personal info people submit to these things (on CVs, template cover letters etc.) this is really something to be concerned about.
  
  – DoctorPenguin
  Jan 22 at 15:23
  
  
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  @JonathanReez it's possible that in the past 10 years people began using unique passwords. For example, when I was a teenager I didn't. There have been accounts I'd forgotten existed that had "my password" that were leaked. Now I do use unique passwords, but it's still good to know about those ancient accounts being compromised and "my password" being known.
  
  – Captain Man
  Jan 22 at 19:40
  

  
  
  
  

 | 
show 4 more comments

140

Your question contains several false assumption:

• 
  

  If you're a security conscious user, you'd change your passwords regularly on any website that matters

  
  

According to my password manager I have more than hundreds of accounts and most of them would do harm to me if compromised. Changing all of them regularly (like every 90 days) is a huge amount of work. So I use strong passwords generated by the password manager instead. But some services still save passwords in clear text.

• 
  

  and thus leaks would not affect you in the first place.

  
  

Let's say I would change every password every 90 days. There is still the possibility that there are 89 days where my account is compromised and the attacker has time to do anything including changing my password. When you know your account is in the list, you can act instantly.

• 
  

  Why not follow the right security practices regardless of any leaks?

  
  

See previous point.

• 
  

  So why are people so interested in using haveibeenpwned?

  
  

To know which accounts are affected and to figure out which service got hacked/where the accounts came from.

With this knowledge:

• I can change the password instantly.


• I know which service is less trustworthy for sensitive data, money, ... and I might close my activity at this service.


• If this service has a messaging system I know to be more alert of messages from "friends" because the account might be stolen.


• I know which of my data might be compromised (data at the hacked service).

share|improve this answer

edited Jan 22 at 10:25

Benoit Esnard

7,80444251

answered Jan 20 at 12:13

H. IddenH. Idden

2,7241715

• 
  
  
  

  
  33
  

  
  
  
  
  
  

  
  
  "To know which accounts are affected and to figure out which service got hacked/where the accounts came from." just to further this - you can have accounts you forgot you made. Like an account you made to post on some forum 15 years ago and never used since. Alternatively, you could have accounts you never knew about. It could happen if an old service you used changes hands and is rebranded, for example, or merged with another one. I've certainly started receiving newsletters from services I never knew existed because some other account I had was subsumed there. Knowing is half the battle.
  
  – VLAZ
  Jan 21 at 11:11
  

  
  
  
  


• 
  
  
  

  
  11
  

  
  
  
  
  
  

  
  
  The most important points here are the parts not related to passwords. Changing your password regularly lets you be pretty confident that your accounts are not compromised... but it gives you no information. When a service is compromised, changing your password might not be the only action you need to take. You might want to cancel bank cards, check your account's recent activity for things you don't remember doing, alert your friends to not trust messages from you, check your cloud backups for attempts to add malicious files, or many other things that can be vitally important.
  
  – anaximander
  Jan 21 at 16:06
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @vlaz this is an excellent point - and in fact, one of my e-mail addresses showed up as having been compromised on a site that I don't recall ever giving my e-mail address to (although I could have easily used a one-off). In which case, I'm not really sure what action I could take anyway.
  
  – Michael
  Jan 21 at 23:30
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @vlaz From experience I can definitely say that this is rampant on online job agency/advertisement websites and services, and when you consider the amount of personal info people submit to these things (on CVs, template cover letters etc.) this is really something to be concerned about.
  
  – DoctorPenguin
  Jan 22 at 15:23
  
  
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  @JonathanReez it's possible that in the past 10 years people began using unique passwords. For example, when I was a teenager I didn't. There have been accounts I'd forgotten existed that had "my password" that were leaked. Now I do use unique passwords, but it's still good to know about those ancient accounts being compromised and "my password" being known.
  
  – Captain Man
  Jan 22 at 19:40
  

  
  
  
  

 | 
show 4 more comments

140

140

140

Your question contains several false assumption:

• 
  

  If you're a security conscious user, you'd change your passwords regularly on any website that matters

  
  

According to my password manager I have more than hundreds of accounts and most of them would do harm to me if compromised. Changing all of them regularly (like every 90 days) is a huge amount of work. So I use strong passwords generated by the password manager instead. But some services still save passwords in clear text.

• 
  

  and thus leaks would not affect you in the first place.

  
  

Let's say I would change every password every 90 days. There is still the possibility that there are 89 days where my account is compromised and the attacker has time to do anything including changing my password. When you know your account is in the list, you can act instantly.

• 
  

  Why not follow the right security practices regardless of any leaks?

  
  

See previous point.

• 
  

  So why are people so interested in using haveibeenpwned?

  
  

To know which accounts are affected and to figure out which service got hacked/where the accounts came from.

With this knowledge:

• I can change the password instantly.


• I know which service is less trustworthy for sensitive data, money, ... and I might close my activity at this service.


• If this service has a messaging system I know to be more alert of messages from "friends" because the account might be stolen.


• I know which of my data might be compromised (data at the hacked service).

share|improve this answer

edited Jan 22 at 10:25

Benoit Esnard

7,80444251

answered Jan 20 at 12:13

H. IddenH. Idden

2,7241715

Your question contains several false assumption:

• 
  

  If you're a security conscious user, you'd change your passwords regularly on any website that matters

  
  

According to my password manager I have more than hundreds of accounts and most of them would do harm to me if compromised. Changing all of them regularly (like every 90 days) is a huge amount of work. So I use strong passwords generated by the password manager instead. But some services still save passwords in clear text.

• 
  

  and thus leaks would not affect you in the first place.

  
  

Let's say I would change every password every 90 days. There is still the possibility that there are 89 days where my account is compromised and the attacker has time to do anything including changing my password. When you know your account is in the list, you can act instantly.

• 
  

  Why not follow the right security practices regardless of any leaks?

  
  

See previous point.

• 
  

  So why are people so interested in using haveibeenpwned?

  
  

To know which accounts are affected and to figure out which service got hacked/where the accounts came from.

With this knowledge:

• I can change the password instantly.


• I know which service is less trustworthy for sensitive data, money, ... and I might close my activity at this service.


• If this service has a messaging system I know to be more alert of messages from "friends" because the account might be stolen.


• I know which of my data might be compromised (data at the hacked service).

share|improve this answer

edited Jan 22 at 10:25

Benoit Esnard

7,80444251

answered Jan 20 at 12:13

H. IddenH. Idden

2,7241715

share|improve this answer

share|improve this answer

edited Jan 22 at 10:25

Benoit Esnard

7,80444251

edited Jan 22 at 10:25

Benoit Esnard

7,80444251

edited Jan 22 at 10:25

Benoit Esnard

7,80444251

7,80444251

answered Jan 20 at 12:13

H. IddenH. Idden

2,7241715

answered Jan 20 at 12:13

H. IddenH. Idden

2,7241715

answered Jan 20 at 12:13

H. IddenH. Idden

2,7241715

2,7241715

• 
  
  
  

  
  33
  

  
  
  
  
  
  

  
  
  "To know which accounts are affected and to figure out which service got hacked/where the accounts came from." just to further this - you can have accounts you forgot you made. Like an account you made to post on some forum 15 years ago and never used since. Alternatively, you could have accounts you never knew about. It could happen if an old service you used changes hands and is rebranded, for example, or merged with another one. I've certainly started receiving newsletters from services I never knew existed because some other account I had was subsumed there. Knowing is half the battle.
  
  – VLAZ
  Jan 21 at 11:11
  

  
  
  
  


• 
  
  
  

  
  11
  

  
  
  
  
  
  

  
  
  The most important points here are the parts not related to passwords. Changing your password regularly lets you be pretty confident that your accounts are not compromised... but it gives you no information. When a service is compromised, changing your password might not be the only action you need to take. You might want to cancel bank cards, check your account's recent activity for things you don't remember doing, alert your friends to not trust messages from you, check your cloud backups for attempts to add malicious files, or many other things that can be vitally important.
  
  – anaximander
  Jan 21 at 16:06
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @vlaz this is an excellent point - and in fact, one of my e-mail addresses showed up as having been compromised on a site that I don't recall ever giving my e-mail address to (although I could have easily used a one-off). In which case, I'm not really sure what action I could take anyway.
  
  – Michael
  Jan 21 at 23:30
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @vlaz From experience I can definitely say that this is rampant on online job agency/advertisement websites and services, and when you consider the amount of personal info people submit to these things (on CVs, template cover letters etc.) this is really something to be concerned about.
  
  – DoctorPenguin
  Jan 22 at 15:23
  
  
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  @JonathanReez it's possible that in the past 10 years people began using unique passwords. For example, when I was a teenager I didn't. There have been accounts I'd forgotten existed that had "my password" that were leaked. Now I do use unique passwords, but it's still good to know about those ancient accounts being compromised and "my password" being known.
  
  – Captain Man
  Jan 22 at 19:40
  

  
  
  
  

 | 
show 4 more comments

• 
  
  
  

  
  33
  

  
  
  
  
  
  

  
  
  "To know which accounts are affected and to figure out which service got hacked/where the accounts came from." just to further this - you can have accounts you forgot you made. Like an account you made to post on some forum 15 years ago and never used since. Alternatively, you could have accounts you never knew about. It could happen if an old service you used changes hands and is rebranded, for example, or merged with another one. I've certainly started receiving newsletters from services I never knew existed because some other account I had was subsumed there. Knowing is half the battle.
  
  – VLAZ
  Jan 21 at 11:11
  

  
  
  
  


• 
  
  
  

  
  11
  

  
  
  
  
  
  

  
  
  The most important points here are the parts not related to passwords. Changing your password regularly lets you be pretty confident that your accounts are not compromised... but it gives you no information. When a service is compromised, changing your password might not be the only action you need to take. You might want to cancel bank cards, check your account's recent activity for things you don't remember doing, alert your friends to not trust messages from you, check your cloud backups for attempts to add malicious files, or many other things that can be vitally important.
  
  – anaximander
  Jan 21 at 16:06
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @vlaz this is an excellent point - and in fact, one of my e-mail addresses showed up as having been compromised on a site that I don't recall ever giving my e-mail address to (although I could have easily used a one-off). In which case, I'm not really sure what action I could take anyway.
  
  – Michael
  Jan 21 at 23:30
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @vlaz From experience I can definitely say that this is rampant on online job agency/advertisement websites and services, and when you consider the amount of personal info people submit to these things (on CVs, template cover letters etc.) this is really something to be concerned about.
  
  – DoctorPenguin
  Jan 22 at 15:23
  
  
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  @JonathanReez it's possible that in the past 10 years people began using unique passwords. For example, when I was a teenager I didn't. There have been accounts I'd forgotten existed that had "my password" that were leaked. Now I do use unique passwords, but it's still good to know about those ancient accounts being compromised and "my password" being known.
  
  – Captain Man
  Jan 22 at 19:40
  

  
  
  
  

33

33

"To know which accounts are affected and to figure out which service got hacked/where the accounts came from." just to further this - you can have accounts you forgot you made. Like an account you made to post on some forum 15 years ago and never used since. Alternatively, you could have accounts you never knew about. It could happen if an old service you used changes hands and is rebranded, for example, or merged with another one. I've certainly started receiving newsletters from services I never knew existed because some other account I had was subsumed there. Knowing is half the battle.

– VLAZ
Jan 21 at 11:11

"To know which accounts are affected and to figure out which service got hacked/where the accounts came from." just to further this - you can have accounts you forgot you made. Like an account you made to post on some forum 15 years ago and never used since. Alternatively, you could have accounts you never knew about. It could happen if an old service you used changes hands and is rebranded, for example, or merged with another one. I've certainly started receiving newsletters from services I never knew existed because some other account I had was subsumed there. Knowing is half the battle.

– VLAZ
Jan 21 at 11:11

11

11

The most important points here are the parts not related to passwords. Changing your password regularly lets you be pretty confident that your accounts are not compromised... but it gives you no information. When a service is compromised, changing your password might not be the only action you need to take. You might want to cancel bank cards, check your account's recent activity for things you don't remember doing, alert your friends to not trust messages from you, check your cloud backups for attempts to add malicious files, or many other things that can be vitally important.

– anaximander
Jan 21 at 16:06

The most important points here are the parts not related to passwords. Changing your password regularly lets you be pretty confident that your accounts are not compromised... but it gives you no information. When a service is compromised, changing your password might not be the only action you need to take. You might want to cancel bank cards, check your account's recent activity for things you don't remember doing, alert your friends to not trust messages from you, check your cloud backups for attempts to add malicious files, or many other things that can be vitally important.

– anaximander
Jan 21 at 16:06

@vlaz this is an excellent point - and in fact, one of my e-mail addresses showed up as having been compromised on a site that I don't recall ever giving my e-mail address to (although I could have easily used a one-off). In which case, I'm not really sure what action I could take anyway.

– Michael
Jan 21 at 23:30

@vlaz this is an excellent point - and in fact, one of my e-mail addresses showed up as having been compromised on a site that I don't recall ever giving my e-mail address to (although I could have easily used a one-off). In which case, I'm not really sure what action I could take anyway.

– Michael
Jan 21 at 23:30

@vlaz From experience I can definitely say that this is rampant on online job agency/advertisement websites and services, and when you consider the amount of personal info people submit to these things (on CVs, template cover letters etc.) this is really something to be concerned about.

– DoctorPenguin
Jan 22 at 15:23

@vlaz From experience I can definitely say that this is rampant on online job agency/advertisement websites and services, and when you consider the amount of personal info people submit to these things (on CVs, template cover letters etc.) this is really something to be concerned about.

– DoctorPenguin
Jan 22 at 15:23

2

2

@JonathanReez it's possible that in the past 10 years people began using unique passwords. For example, when I was a teenager I didn't. There have been accounts I'd forgotten existed that had "my password" that were leaked. Now I do use unique passwords, but it's still good to know about those ancient accounts being compromised and "my password" being known.

– Captain Man
Jan 22 at 19:40

@JonathanReez it's possible that in the past 10 years people began using unique passwords. For example, when I was a teenager I didn't. There have been accounts I'd forgotten existed that had "my password" that were leaked. Now I do use unique passwords, but it's still good to know about those ancient accounts being compromised and "my password" being known.

– Captain Man
Jan 22 at 19:40

 | 
show 4 more comments

67

Changing passwords often is not considered a best practice anymore.

People are interested in HIBP because it centralizes information regarding breaches and makes it easily accessible. Not everyone is a security conscious user, but the information is valuable to all users because regardless of your password age practice the password should be changed immediately upon knowledge of a breach.

share|improve this answer

answered Jan 19 at 20:18

theythey

895117

• 
  
  
  

  
  25
  

  
  
  
  
  
  

  
  
  Forcing people to change their passwords is not best practice anymore. Doing it by yourself is always good practice.
  
  – JonathanReez
  Jan 19 at 20:34
  

  
  
  
  


• 
  
  
  

  
  33
  

  
  
  
  
  
  

  
  
  This has been discussed before: security.stackexchange.com/questions/186780/… Since it is stated well "The only other reason to change passwords on a schedule is to comply with outdated policies which are resistant to change, such as the PCI DSS requirements regarding passwords: 8.2.4 Change user passwords/passphrases at least once every 90 days. This is not a security issue but a compliance issue. When faced with a regulation which essentially has the force of law, compliance unfortunately must trump security."
  
  – they
  Jan 19 at 20:39
  
  
  

  
  
  
  


• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  The main reason that changing passwords is not advised is because it imposes extra work on the user, and it was noted than in practice, this simply encourages most users to reduce that workload by making it easy to do, which they usually achieve by using patterns (password1, password2, password3 etc) and choosing shorter, easier-to-remember passwords, both of which make the password weaker. If you're a security conscious user who always uses a password manager to generate sufficiently secure passwords, then frequently changing your passwords will make your accounts more secure.
  
  – anaximander
  Jan 21 at 16:10
  

  
  
  
  


• 
  
  
  

  
  8
  

  
  
  
  
  
  

  
  
  @anaximander I disagree. Frequently changing passwords when you are choosing strong passwords is mainly security theater and unnecessary work. If you use strong and unique passwords then the only thing that changing your password protects you from is your password getting leaked by that one third party service. However, the longer time frame of password changes (90 days) still leaves plenty of time for damage to be done, and if it is caused by weaknesses in the third party platform, then changing your password might not help anyway.
  
  – Conor Mancone
  Jan 21 at 16:22
  

  
  
  
  


• 
  
  
  

  
  6
  

  
  
  
  
  
  

  
  
  @anaximander I think it is much more valuable to look at this from a "threat model" standpoint than make blanket statements (i.e. change your passwords every 90 days). As a for instance, I can guarantee you that no one is going to spend 90 days trying to brute force your password, unless that password is the only thing standing between them and tens of thousands of dollars of crypto currency. So sure, if you have a million dollar online cryptocurrency trading account, feel free to change your password every 90 days. But for 95% of your online accounts, its just a waste of time.
  
  – Conor Mancone
  Jan 21 at 17:50
  

  
  
  
  

 | 
show 10 more comments

67

Changing passwords often is not considered a best practice anymore.

People are interested in HIBP because it centralizes information regarding breaches and makes it easily accessible. Not everyone is a security conscious user, but the information is valuable to all users because regardless of your password age practice the password should be changed immediately upon knowledge of a breach.

share|improve this answer

answered Jan 19 at 20:18

theythey

895117

• 
  
  
  

  
  25
  

  
  
  
  
  
  

  
  
  Forcing people to change their passwords is not best practice anymore. Doing it by yourself is always good practice.
  
  – JonathanReez
  Jan 19 at 20:34
  

  
  
  
  


• 
  
  
  

  
  33
  

  
  
  
  
  
  

  
  
  This has been discussed before: security.stackexchange.com/questions/186780/… Since it is stated well "The only other reason to change passwords on a schedule is to comply with outdated policies which are resistant to change, such as the PCI DSS requirements regarding passwords: 8.2.4 Change user passwords/passphrases at least once every 90 days. This is not a security issue but a compliance issue. When faced with a regulation which essentially has the force of law, compliance unfortunately must trump security."
  
  – they
  Jan 19 at 20:39
  
  
  

  
  
  
  


• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  The main reason that changing passwords is not advised is because it imposes extra work on the user, and it was noted than in practice, this simply encourages most users to reduce that workload by making it easy to do, which they usually achieve by using patterns (password1, password2, password3 etc) and choosing shorter, easier-to-remember passwords, both of which make the password weaker. If you're a security conscious user who always uses a password manager to generate sufficiently secure passwords, then frequently changing your passwords will make your accounts more secure.
  
  – anaximander
  Jan 21 at 16:10
  

  
  
  
  


• 
  
  
  

  
  8
  

  
  
  
  
  
  

  
  
  @anaximander I disagree. Frequently changing passwords when you are choosing strong passwords is mainly security theater and unnecessary work. If you use strong and unique passwords then the only thing that changing your password protects you from is your password getting leaked by that one third party service. However, the longer time frame of password changes (90 days) still leaves plenty of time for damage to be done, and if it is caused by weaknesses in the third party platform, then changing your password might not help anyway.
  
  – Conor Mancone
  Jan 21 at 16:22
  

  
  
  
  


• 
  
  
  

  
  6
  

  
  
  
  
  
  

  
  
  @anaximander I think it is much more valuable to look at this from a "threat model" standpoint than make blanket statements (i.e. change your passwords every 90 days). As a for instance, I can guarantee you that no one is going to spend 90 days trying to brute force your password, unless that password is the only thing standing between them and tens of thousands of dollars of crypto currency. So sure, if you have a million dollar online cryptocurrency trading account, feel free to change your password every 90 days. But for 95% of your online accounts, its just a waste of time.
  
  – Conor Mancone
  Jan 21 at 17:50
  

  
  
  
  

 | 
show 10 more comments

67

67

67

Changing passwords often is not considered a best practice anymore.

People are interested in HIBP because it centralizes information regarding breaches and makes it easily accessible. Not everyone is a security conscious user, but the information is valuable to all users because regardless of your password age practice the password should be changed immediately upon knowledge of a breach.

share|improve this answer

answered Jan 19 at 20:18

theythey

895117

Changing passwords often is not considered a best practice anymore.

People are interested in HIBP because it centralizes information regarding breaches and makes it easily accessible. Not everyone is a security conscious user, but the information is valuable to all users because regardless of your password age practice the password should be changed immediately upon knowledge of a breach.

share|improve this answer

answered Jan 19 at 20:18

theythey

895117

share|improve this answer

share|improve this answer

answered Jan 19 at 20:18

theythey

895117

answered Jan 19 at 20:18

theythey

895117

answered Jan 19 at 20:18

theythey

895117

895117

• 
  
  
  

  
  25
  

  
  
  
  
  
  

  
  
  Forcing people to change their passwords is not best practice anymore. Doing it by yourself is always good practice.
  
  – JonathanReez
  Jan 19 at 20:34
  

  
  
  
  


• 
  
  
  

  
  33
  

  
  
  
  
  
  

  
  
  This has been discussed before: security.stackexchange.com/questions/186780/… Since it is stated well "The only other reason to change passwords on a schedule is to comply with outdated policies which are resistant to change, such as the PCI DSS requirements regarding passwords: 8.2.4 Change user passwords/passphrases at least once every 90 days. This is not a security issue but a compliance issue. When faced with a regulation which essentially has the force of law, compliance unfortunately must trump security."
  
  – they
  Jan 19 at 20:39
  
  
  

  
  
  
  


• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  The main reason that changing passwords is not advised is because it imposes extra work on the user, and it was noted than in practice, this simply encourages most users to reduce that workload by making it easy to do, which they usually achieve by using patterns (password1, password2, password3 etc) and choosing shorter, easier-to-remember passwords, both of which make the password weaker. If you're a security conscious user who always uses a password manager to generate sufficiently secure passwords, then frequently changing your passwords will make your accounts more secure.
  
  – anaximander
  Jan 21 at 16:10
  

  
  
  
  


• 
  
  
  

  
  8
  

  
  
  
  
  
  

  
  
  @anaximander I disagree. Frequently changing passwords when you are choosing strong passwords is mainly security theater and unnecessary work. If you use strong and unique passwords then the only thing that changing your password protects you from is your password getting leaked by that one third party service. However, the longer time frame of password changes (90 days) still leaves plenty of time for damage to be done, and if it is caused by weaknesses in the third party platform, then changing your password might not help anyway.
  
  – Conor Mancone
  Jan 21 at 16:22
  

  
  
  
  


• 
  
  
  

  
  6
  

  
  
  
  
  
  

  
  
  @anaximander I think it is much more valuable to look at this from a "threat model" standpoint than make blanket statements (i.e. change your passwords every 90 days). As a for instance, I can guarantee you that no one is going to spend 90 days trying to brute force your password, unless that password is the only thing standing between them and tens of thousands of dollars of crypto currency. So sure, if you have a million dollar online cryptocurrency trading account, feel free to change your password every 90 days. But for 95% of your online accounts, its just a waste of time.
  
  – Conor Mancone
  Jan 21 at 17:50
  

  
  
  
  

 | 
show 10 more comments

• 
  
  
  

  
  25
  

  
  
  
  
  
  

  
  
  Forcing people to change their passwords is not best practice anymore. Doing it by yourself is always good practice.
  
  – JonathanReez
  Jan 19 at 20:34
  

  
  
  
  


• 
  
  
  

  
  33
  

  
  
  
  
  
  

  
  
  This has been discussed before: security.stackexchange.com/questions/186780/… Since it is stated well "The only other reason to change passwords on a schedule is to comply with outdated policies which are resistant to change, such as the PCI DSS requirements regarding passwords: 8.2.4 Change user passwords/passphrases at least once every 90 days. This is not a security issue but a compliance issue. When faced with a regulation which essentially has the force of law, compliance unfortunately must trump security."
  
  – they
  Jan 19 at 20:39
  
  
  

  
  
  
  


• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  The main reason that changing passwords is not advised is because it imposes extra work on the user, and it was noted than in practice, this simply encourages most users to reduce that workload by making it easy to do, which they usually achieve by using patterns (password1, password2, password3 etc) and choosing shorter, easier-to-remember passwords, both of which make the password weaker. If you're a security conscious user who always uses a password manager to generate sufficiently secure passwords, then frequently changing your passwords will make your accounts more secure.
  
  – anaximander
  Jan 21 at 16:10
  

  
  
  
  


• 
  
  
  

  
  8
  

  
  
  
  
  
  

  
  
  @anaximander I disagree. Frequently changing passwords when you are choosing strong passwords is mainly security theater and unnecessary work. If you use strong and unique passwords then the only thing that changing your password protects you from is your password getting leaked by that one third party service. However, the longer time frame of password changes (90 days) still leaves plenty of time for damage to be done, and if it is caused by weaknesses in the third party platform, then changing your password might not help anyway.
  
  – Conor Mancone
  Jan 21 at 16:22
  

  
  
  
  


• 
  
  
  

  
  6
  

  
  
  
  
  
  

  
  
  @anaximander I think it is much more valuable to look at this from a "threat model" standpoint than make blanket statements (i.e. change your passwords every 90 days). As a for instance, I can guarantee you that no one is going to spend 90 days trying to brute force your password, unless that password is the only thing standing between them and tens of thousands of dollars of crypto currency. So sure, if you have a million dollar online cryptocurrency trading account, feel free to change your password every 90 days. But for 95% of your online accounts, its just a waste of time.
  
  – Conor Mancone
  Jan 21 at 17:50
  

  
  
  
  

25

25

Forcing people to change their passwords is not best practice anymore. Doing it by yourself is always good practice.

– JonathanReez
Jan 19 at 20:34

Forcing people to change their passwords is not best practice anymore. Doing it by yourself is always good practice.

– JonathanReez
Jan 19 at 20:34

33

33

This has been discussed before: security.stackexchange.com/questions/186780/… Since it is stated well "The only other reason to change passwords on a schedule is to comply with outdated policies which are resistant to change, such as the PCI DSS requirements regarding passwords: 8.2.4 Change user passwords/passphrases at least once every 90 days. This is not a security issue but a compliance issue. When faced with a regulation which essentially has the force of law, compliance unfortunately must trump security."

– they
Jan 19 at 20:39

This has been discussed before: security.stackexchange.com/questions/186780/… Since it is stated well "The only other reason to change passwords on a schedule is to comply with outdated policies which are resistant to change, such as the PCI DSS requirements regarding passwords: 8.2.4 Change user passwords/passphrases at least once every 90 days. This is not a security issue but a compliance issue. When faced with a regulation which essentially has the force of law, compliance unfortunately must trump security."

– they
Jan 19 at 20:39

4

4

The main reason that changing passwords is not advised is because it imposes extra work on the user, and it was noted than in practice, this simply encourages most users to reduce that workload by making it easy to do, which they usually achieve by using patterns (password1, password2, password3 etc) and choosing shorter, easier-to-remember passwords, both of which make the password weaker. If you're a security conscious user who always uses a password manager to generate sufficiently secure passwords, then frequently changing your passwords will make your accounts more secure.

– anaximander
Jan 21 at 16:10

The main reason that changing passwords is not advised is because it imposes extra work on the user, and it was noted than in practice, this simply encourages most users to reduce that workload by making it easy to do, which they usually achieve by using patterns (password1, password2, password3 etc) and choosing shorter, easier-to-remember passwords, both of which make the password weaker. If you're a security conscious user who always uses a password manager to generate sufficiently secure passwords, then frequently changing your passwords will make your accounts more secure.

– anaximander
Jan 21 at 16:10

8

8

@anaximander I disagree. Frequently changing passwords when you are choosing strong passwords is mainly security theater and unnecessary work. If you use strong and unique passwords then the only thing that changing your password protects you from is your password getting leaked by that one third party service. However, the longer time frame of password changes (90 days) still leaves plenty of time for damage to be done, and if it is caused by weaknesses in the third party platform, then changing your password might not help anyway.

– Conor Mancone
Jan 21 at 16:22

@anaximander I disagree. Frequently changing passwords when you are choosing strong passwords is mainly security theater and unnecessary work. If you use strong and unique passwords then the only thing that changing your password protects you from is your password getting leaked by that one third party service. However, the longer time frame of password changes (90 days) still leaves plenty of time for damage to be done, and if it is caused by weaknesses in the third party platform, then changing your password might not help anyway.

– Conor Mancone
Jan 21 at 16:22

6

6

@anaximander I think it is much more valuable to look at this from a "threat model" standpoint than make blanket statements (i.e. change your passwords every 90 days). As a for instance, I can guarantee you that no one is going to spend 90 days trying to brute force your password, unless that password is the only thing standing between them and tens of thousands of dollars of crypto currency. So sure, if you have a million dollar online cryptocurrency trading account, feel free to change your password every 90 days. But for 95% of your online accounts, its just a waste of time.

– Conor Mancone
Jan 21 at 17:50

@anaximander I think it is much more valuable to look at this from a "threat model" standpoint than make blanket statements (i.e. change your passwords every 90 days). As a for instance, I can guarantee you that no one is going to spend 90 days trying to brute force your password, unless that password is the only thing standing between them and tens of thousands of dollars of crypto currency. So sure, if you have a million dollar online cryptocurrency trading account, feel free to change your password every 90 days. But for 95% of your online accounts, its just a waste of time.

– Conor Mancone
Jan 21 at 17:50

 | 
show 10 more comments

32

Changing passwords regularly actually tends to reduce security, as people end up using repeated patterns.

The recommendations are to use strong passwords, unique to each service, and only change when a compromise is suspected.

HIBP gives that notification of compromise.

share|improve this answer

answered Jan 19 at 22:02

Rory Alsop♦Rory Alsop

57.3k11104298

• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  It's not just repeated pattern. If I switch from "supersecurepassword" to "supersecurepassword1", ...2, ...3 that's pointless but not worse than not changing. The problem is that people change from "supersecurepassword" to "supersecure1" and 24 months later to "super24" because they just can't be bothered, so secure passwords are replaced with less secure ones.
  
  – gnasher729
  Jan 20 at 14:05
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  In running password audits over a few years with a few thousand employees at various organisations, I can tell you the repeated patterns are incredibly common. Most are incrementing final digit. Some are change month or season name.
  
  – Rory Alsop♦
  Jan 20 at 17:47
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  @LightnessRacesinOrbit: That was my first reaction to the idea. But several years ago it was pointed out to me that these tests are done during the password change process -- the new password needs to be in the clear during that process, but it never needs to be stored that way.
  
  – Ben Voigt
  Jan 20 at 20:18
  

  
  
  
  


• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  @lightness - password strength audits. Not what Ben suggested. Simply put, brute force of SAM file, then reporting on how many were a dictionary word, or "password" or football teams or holiday destinations etc. Not associated with user accounts, despite some organisations asking us for them - just a very useful way to give statistics
  
  – Rory Alsop♦
  Jan 20 at 20:31
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @RedGrittyBrick HIBP do now offer a service to check if passwords have been pwned, by hash. This is their new pwnedpasswords service.
  
  – James_pic
  Jan 21 at 12:12
  

  
  
  
  

 | 
show 10 more comments

32

Changing passwords regularly actually tends to reduce security, as people end up using repeated patterns.

The recommendations are to use strong passwords, unique to each service, and only change when a compromise is suspected.

HIBP gives that notification of compromise.

share|improve this answer

answered Jan 19 at 22:02

Rory Alsop♦Rory Alsop

57.3k11104298

• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  It's not just repeated pattern. If I switch from "supersecurepassword" to "supersecurepassword1", ...2, ...3 that's pointless but not worse than not changing. The problem is that people change from "supersecurepassword" to "supersecure1" and 24 months later to "super24" because they just can't be bothered, so secure passwords are replaced with less secure ones.
  
  – gnasher729
  Jan 20 at 14:05
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  In running password audits over a few years with a few thousand employees at various organisations, I can tell you the repeated patterns are incredibly common. Most are incrementing final digit. Some are change month or season name.
  
  – Rory Alsop♦
  Jan 20 at 17:47
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  @LightnessRacesinOrbit: That was my first reaction to the idea. But several years ago it was pointed out to me that these tests are done during the password change process -- the new password needs to be in the clear during that process, but it never needs to be stored that way.
  
  – Ben Voigt
  Jan 20 at 20:18
  

  
  
  
  


• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  @lightness - password strength audits. Not what Ben suggested. Simply put, brute force of SAM file, then reporting on how many were a dictionary word, or "password" or football teams or holiday destinations etc. Not associated with user accounts, despite some organisations asking us for them - just a very useful way to give statistics
  
  – Rory Alsop♦
  Jan 20 at 20:31
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @RedGrittyBrick HIBP do now offer a service to check if passwords have been pwned, by hash. This is their new pwnedpasswords service.
  
  – James_pic
  Jan 21 at 12:12
  

  
  
  
  

 | 
show 10 more comments

32

32

32

Changing passwords regularly actually tends to reduce security, as people end up using repeated patterns.

The recommendations are to use strong passwords, unique to each service, and only change when a compromise is suspected.

HIBP gives that notification of compromise.

share|improve this answer

answered Jan 19 at 22:02

Rory Alsop♦Rory Alsop

57.3k11104298

Changing passwords regularly actually tends to reduce security, as people end up using repeated patterns.

The recommendations are to use strong passwords, unique to each service, and only change when a compromise is suspected.

HIBP gives that notification of compromise.

share|improve this answer

answered Jan 19 at 22:02

Rory Alsop♦Rory Alsop

57.3k11104298

share|improve this answer

share|improve this answer

answered Jan 19 at 22:02

Rory Alsop♦Rory Alsop

57.3k11104298

answered Jan 19 at 22:02

Rory Alsop♦Rory Alsop

57.3k11104298

answered Jan 19 at 22:02

Rory Alsop♦Rory Alsop

57.3k11104298

57.3k11104298

• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  It's not just repeated pattern. If I switch from "supersecurepassword" to "supersecurepassword1", ...2, ...3 that's pointless but not worse than not changing. The problem is that people change from "supersecurepassword" to "supersecure1" and 24 months later to "super24" because they just can't be bothered, so secure passwords are replaced with less secure ones.
  
  – gnasher729
  Jan 20 at 14:05
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  In running password audits over a few years with a few thousand employees at various organisations, I can tell you the repeated patterns are incredibly common. Most are incrementing final digit. Some are change month or season name.
  
  – Rory Alsop♦
  Jan 20 at 17:47
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  @LightnessRacesinOrbit: That was my first reaction to the idea. But several years ago it was pointed out to me that these tests are done during the password change process -- the new password needs to be in the clear during that process, but it never needs to be stored that way.
  
  – Ben Voigt
  Jan 20 at 20:18
  

  
  
  
  


• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  @lightness - password strength audits. Not what Ben suggested. Simply put, brute force of SAM file, then reporting on how many were a dictionary word, or "password" or football teams or holiday destinations etc. Not associated with user accounts, despite some organisations asking us for them - just a very useful way to give statistics
  
  – Rory Alsop♦
  Jan 20 at 20:31
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @RedGrittyBrick HIBP do now offer a service to check if passwords have been pwned, by hash. This is their new pwnedpasswords service.
  
  – James_pic
  Jan 21 at 12:12
  

  
  
  
  

 | 
show 10 more comments

• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  It's not just repeated pattern. If I switch from "supersecurepassword" to "supersecurepassword1", ...2, ...3 that's pointless but not worse than not changing. The problem is that people change from "supersecurepassword" to "supersecure1" and 24 months later to "super24" because they just can't be bothered, so secure passwords are replaced with less secure ones.
  
  – gnasher729
  Jan 20 at 14:05
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  In running password audits over a few years with a few thousand employees at various organisations, I can tell you the repeated patterns are incredibly common. Most are incrementing final digit. Some are change month or season name.
  
  – Rory Alsop♦
  Jan 20 at 17:47
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  @LightnessRacesinOrbit: That was my first reaction to the idea. But several years ago it was pointed out to me that these tests are done during the password change process -- the new password needs to be in the clear during that process, but it never needs to be stored that way.
  
  – Ben Voigt
  Jan 20 at 20:18
  

  
  
  
  


• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  @lightness - password strength audits. Not what Ben suggested. Simply put, brute force of SAM file, then reporting on how many were a dictionary word, or "password" or football teams or holiday destinations etc. Not associated with user accounts, despite some organisations asking us for them - just a very useful way to give statistics
  
  – Rory Alsop♦
  Jan 20 at 20:31
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @RedGrittyBrick HIBP do now offer a service to check if passwords have been pwned, by hash. This is their new pwnedpasswords service.
  
  – James_pic
  Jan 21 at 12:12
  

  
  
  
  

4

4

It's not just repeated pattern. If I switch from "supersecurepassword" to "supersecurepassword1", ...2, ...3 that's pointless but not worse than not changing. The problem is that people change from "supersecurepassword" to "supersecure1" and 24 months later to "super24" because they just can't be bothered, so secure passwords are replaced with less secure ones.

– gnasher729
Jan 20 at 14:05

It's not just repeated pattern. If I switch from "supersecurepassword" to "supersecurepassword1", ...2, ...3 that's pointless but not worse than not changing. The problem is that people change from "supersecurepassword" to "supersecure1" and 24 months later to "super24" because they just can't be bothered, so secure passwords are replaced with less secure ones.

– gnasher729
Jan 20 at 14:05

3

3

In running password audits over a few years with a few thousand employees at various organisations, I can tell you the repeated patterns are incredibly common. Most are incrementing final digit. Some are change month or season name.

– Rory Alsop♦
Jan 20 at 17:47

In running password audits over a few years with a few thousand employees at various organisations, I can tell you the repeated patterns are incredibly common. Most are incrementing final digit. Some are change month or season name.

– Rory Alsop♦
Jan 20 at 17:47

2

2

@LightnessRacesinOrbit: That was my first reaction to the idea. But several years ago it was pointed out to me that these tests are done during the password change process -- the new password needs to be in the clear during that process, but it never needs to be stored that way.

– Ben Voigt
Jan 20 at 20:18

@LightnessRacesinOrbit: That was my first reaction to the idea. But several years ago it was pointed out to me that these tests are done during the password change process -- the new password needs to be in the clear during that process, but it never needs to be stored that way.

– Ben Voigt
Jan 20 at 20:18

4

4

@lightness - password strength audits. Not what Ben suggested. Simply put, brute force of SAM file, then reporting on how many were a dictionary word, or "password" or football teams or holiday destinations etc. Not associated with user accounts, despite some organisations asking us for them - just a very useful way to give statistics

– Rory Alsop♦
Jan 20 at 20:31

@lightness - password strength audits. Not what Ben suggested. Simply put, brute force of SAM file, then reporting on how many were a dictionary word, or "password" or football teams or holiday destinations etc. Not associated with user accounts, despite some organisations asking us for them - just a very useful way to give statistics

– Rory Alsop♦
Jan 20 at 20:31

1

1

@RedGrittyBrick HIBP do now offer a service to check if passwords have been pwned, by hash. This is their new pwnedpasswords service.

– James_pic
Jan 21 at 12:12

@RedGrittyBrick HIBP do now offer a service to check if passwords have been pwned, by hash. This is their new pwnedpasswords service.

– James_pic
Jan 21 at 12:12

 | 
show 10 more comments

7

It comes in handy when your email address has been exposed but not as part of a credentials set. As an example, I had an email address included in a breach but I didn't have an account with that service/product, the breach was actually on a marketing tool used by a service/product that I was using and my email address had been added to the tool for marketing purposes.

Knowing my email address had been exposed in that way, I knew to keep an eye out for increased spam and phishing attempts.

share|improve this answer

answered Jan 20 at 0:37

AaronAaron

792

add a comment | 

7

It comes in handy when your email address has been exposed but not as part of a credentials set. As an example, I had an email address included in a breach but I didn't have an account with that service/product, the breach was actually on a marketing tool used by a service/product that I was using and my email address had been added to the tool for marketing purposes.

Knowing my email address had been exposed in that way, I knew to keep an eye out for increased spam and phishing attempts.

share|improve this answer

answered Jan 20 at 0:37

AaronAaron

792

add a comment | 

7

7

7

It comes in handy when your email address has been exposed but not as part of a credentials set. As an example, I had an email address included in a breach but I didn't have an account with that service/product, the breach was actually on a marketing tool used by a service/product that I was using and my email address had been added to the tool for marketing purposes.

Knowing my email address had been exposed in that way, I knew to keep an eye out for increased spam and phishing attempts.

share|improve this answer

answered Jan 20 at 0:37

AaronAaron

792

It comes in handy when your email address has been exposed but not as part of a credentials set. As an example, I had an email address included in a breach but I didn't have an account with that service/product, the breach was actually on a marketing tool used by a service/product that I was using and my email address had been added to the tool for marketing purposes.

Knowing my email address had been exposed in that way, I knew to keep an eye out for increased spam and phishing attempts.

share|improve this answer

answered Jan 20 at 0:37

AaronAaron

792

share|improve this answer

share|improve this answer

answered Jan 20 at 0:37

AaronAaron

792

answered Jan 20 at 0:37

AaronAaron

792

answered Jan 20 at 0:37

AaronAaron

792

792

add a comment | 

add a comment | 

4

There's an option to monitor entire domains. This is very useful as not everyone in the company are equally aware nor cares as much. With such notification, as an administrator, you can e.g. force additional password changes for users with new leaked passwords.

Also, increasing awareness is important in itself.

share|improve this answer

answered Jan 19 at 20:03

Esa JokinenEsa Jokinen

1,998613

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  +1 for the "increasing awareness" use of HIBP. I often suggest people look themselves up. It opens their eyes.
  
  – O. Jones
  Jan 25 at 11:40
  

  
  
  
  

add a comment | 

4

There's an option to monitor entire domains. This is very useful as not everyone in the company are equally aware nor cares as much. With such notification, as an administrator, you can e.g. force additional password changes for users with new leaked passwords.

Also, increasing awareness is important in itself.

share|improve this answer

answered Jan 19 at 20:03

Esa JokinenEsa Jokinen

1,998613

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  +1 for the "increasing awareness" use of HIBP. I often suggest people look themselves up. It opens their eyes.
  
  – O. Jones
  Jan 25 at 11:40
  

  
  
  
  

add a comment | 

4

4

4

There's an option to monitor entire domains. This is very useful as not everyone in the company are equally aware nor cares as much. With such notification, as an administrator, you can e.g. force additional password changes for users with new leaked passwords.

Also, increasing awareness is important in itself.

share|improve this answer

answered Jan 19 at 20:03

Esa JokinenEsa Jokinen

1,998613

There's an option to monitor entire domains. This is very useful as not everyone in the company are equally aware nor cares as much. With such notification, as an administrator, you can e.g. force additional password changes for users with new leaked passwords.

Also, increasing awareness is important in itself.

share|improve this answer

answered Jan 19 at 20:03

Esa JokinenEsa Jokinen

1,998613

share|improve this answer

share|improve this answer

answered Jan 19 at 20:03

Esa JokinenEsa Jokinen

1,998613

answered Jan 19 at 20:03

Esa JokinenEsa Jokinen

1,998613

answered Jan 19 at 20:03

Esa JokinenEsa Jokinen

1,998613

1,998613

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  +1 for the "increasing awareness" use of HIBP. I often suggest people look themselves up. It opens their eyes.
  
  – O. Jones
  Jan 25 at 11:40
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  +1 for the "increasing awareness" use of HIBP. I often suggest people look themselves up. It opens their eyes.
  
  – O. Jones
  Jan 25 at 11:40
  

  
  
  
  

1

1

+1 for the "increasing awareness" use of HIBP. I often suggest people look themselves up. It opens their eyes.

– O. Jones
Jan 25 at 11:40

+1 for the "increasing awareness" use of HIBP. I often suggest people look themselves up. It opens their eyes.

– O. Jones
Jan 25 at 11:40

add a comment | 

3

All the other answers talk about what best practises are. But let's take the question at facevalue: "Why do people not use best practises (whatever they may be), and instead use this website".

The biggest problem in security is the human element. It's human nature. To improve security you have to take it into account.

You write in the question: "A security concious user would", but then you ask "why are people so interested in using haveibeenpwned?".
Well, thats because a lot of people who are interested in the service are NOT security concious.
Maybe they are somewhat concious, maybe they have just heard on facebook about this neet website.

If I tell my mom to "follow the right security practices" (and explained them) she would do nothing.

If I tell my mom to check that website for the one password/email she uses everywhere, and it shows her that it's compromised, she will probably atleast change it once on important websites.

In the end it's a tradeoff for the user.

If he never had an account hacked and felt the impact he will see the risk as very low, and the cost to follow best practises as very high.

Checking haveibeenpwned on the other hand is very low cost. And checking it in and of itself gives you a better risk assesment. If you are compromised you now know that the risk to you is high, so it's more likely that they will follow better practises after visiting the website.

So, it's easier and more convienient, and therefore more likely to go viral. This is something I can share, and security illiterate people can use and feel good about and share too. It's also a gateway to good security practises.

share|improve this answer

edited Jan 22 at 19:00

answered Jan 22 at 18:55

LichtbringerLichtbringer

349137

add a comment | 

3

All the other answers talk about what best practises are. But let's take the question at facevalue: "Why do people not use best practises (whatever they may be), and instead use this website".

The biggest problem in security is the human element. It's human nature. To improve security you have to take it into account.

You write in the question: "A security concious user would", but then you ask "why are people so interested in using haveibeenpwned?".
Well, thats because a lot of people who are interested in the service are NOT security concious.
Maybe they are somewhat concious, maybe they have just heard on facebook about this neet website.

If I tell my mom to "follow the right security practices" (and explained them) she would do nothing.

If I tell my mom to check that website for the one password/email she uses everywhere, and it shows her that it's compromised, she will probably atleast change it once on important websites.

In the end it's a tradeoff for the user.

If he never had an account hacked and felt the impact he will see the risk as very low, and the cost to follow best practises as very high.

Checking haveibeenpwned on the other hand is very low cost. And checking it in and of itself gives you a better risk assesment. If you are compromised you now know that the risk to you is high, so it's more likely that they will follow better practises after visiting the website.

So, it's easier and more convienient, and therefore more likely to go viral. This is something I can share, and security illiterate people can use and feel good about and share too. It's also a gateway to good security practises.

share|improve this answer

edited Jan 22 at 19:00

answered Jan 22 at 18:55

LichtbringerLichtbringer

349137

add a comment | 

3

3

3

All the other answers talk about what best practises are. But let's take the question at facevalue: "Why do people not use best practises (whatever they may be), and instead use this website".

The biggest problem in security is the human element. It's human nature. To improve security you have to take it into account.

You write in the question: "A security concious user would", but then you ask "why are people so interested in using haveibeenpwned?".
Well, thats because a lot of people who are interested in the service are NOT security concious.
Maybe they are somewhat concious, maybe they have just heard on facebook about this neet website.

If I tell my mom to "follow the right security practices" (and explained them) she would do nothing.

If I tell my mom to check that website for the one password/email she uses everywhere, and it shows her that it's compromised, she will probably atleast change it once on important websites.

In the end it's a tradeoff for the user.

If he never had an account hacked and felt the impact he will see the risk as very low, and the cost to follow best practises as very high.

Checking haveibeenpwned on the other hand is very low cost. And checking it in and of itself gives you a better risk assesment. If you are compromised you now know that the risk to you is high, so it's more likely that they will follow better practises after visiting the website.

So, it's easier and more convienient, and therefore more likely to go viral. This is something I can share, and security illiterate people can use and feel good about and share too. It's also a gateway to good security practises.

share|improve this answer

edited Jan 22 at 19:00

answered Jan 22 at 18:55

LichtbringerLichtbringer

349137

All the other answers talk about what best practises are. But let's take the question at facevalue: "Why do people not use best practises (whatever they may be), and instead use this website".

The biggest problem in security is the human element. It's human nature. To improve security you have to take it into account.

You write in the question: "A security concious user would", but then you ask "why are people so interested in using haveibeenpwned?".
Well, thats because a lot of people who are interested in the service are NOT security concious.
Maybe they are somewhat concious, maybe they have just heard on facebook about this neet website.

If I tell my mom to "follow the right security practices" (and explained them) she would do nothing.

If I tell my mom to check that website for the one password/email she uses everywhere, and it shows her that it's compromised, she will probably atleast change it once on important websites.

In the end it's a tradeoff for the user.

If he never had an account hacked and felt the impact he will see the risk as very low, and the cost to follow best practises as very high.

Checking haveibeenpwned on the other hand is very low cost. And checking it in and of itself gives you a better risk assesment. If you are compromised you now know that the risk to you is high, so it's more likely that they will follow better practises after visiting the website.

So, it's easier and more convienient, and therefore more likely to go viral. This is something I can share, and security illiterate people can use and feel good about and share too. It's also a gateway to good security practises.

share|improve this answer

edited Jan 22 at 19:00

answered Jan 22 at 18:55

LichtbringerLichtbringer

349137

share|improve this answer

share|improve this answer

edited Jan 22 at 19:00

edited Jan 22 at 19:00

edited Jan 22 at 19:00

answered Jan 22 at 18:55

LichtbringerLichtbringer

349137

answered Jan 22 at 18:55

LichtbringerLichtbringer

349137

answered Jan 22 at 18:55

LichtbringerLichtbringer

349137

349137

add a comment | 

add a comment | 

2

Why not follow the right security practices regardless of any leaks?

Because regularily changing your passwords is not a right security practice. It is a hack and work-around.

The proper security practice would be to change your password whenever you have reasons to believe that it has been compromised. I've had root passwords unchanged for a decade because there was never ever any reason to suspect a compromise has occurred, so it would have been a nonsense to create the cost of a password change (however small) for no reason.

The advise to regularily change passwords is what we use when tracking possibility of compromise becomes difficult or expensive, and regular changing is simpler and cheaper than that. Basically, the reasoning is: "If I don't have a clue about the probability of my password being compromised, I'll just take a statistical average and err on the side of caution".

So when actual evidence - such as havibeenpwned - appears, it is always preferable to use the actual data over any guesstimated heuristics.

---

addendum:

If you search a little, you can find plenty of publications advocating against regular password changes for no good reason. Disclaimer: Some of them are mine. This nonsense might be a common practice, but that a) doesn't make it a good practice and b) still doesn't mean it can hold a candle to actual data.

share|improve this answer

answered Jan 22 at 9:37

TomTom

5,421831

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Isn't the the point though, that neither you nor Troy Hunt does know about all security breaches? You speak about "actual evidence" but Hunt himself quotes the famous "Absence of evidence is not evidence of absence" in his FAQ and goes on with "just because your email address wasn't found here doesn't mean that is hasn't been compromised in another breach."
  
  – Tom K.
  Jan 22 at 10:21
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Absolutely. You can get positive evidence from it, but not negative. The whole problem is that 3rd party websites can be compromised and you'll never know because they hush it up. That is why I have different password policies for my own sites and 3rd party sites.
  
  – Tom
  Jan 22 at 18:50
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Tom his point is likely, that you can never be totally sure your machine/password has not been hacked. Your password might become compromised any minute. So the security cost of not changing your password is never 0. Not changing a password (or rarely) may still be a valid strategy, but the cost is still unknown even if it is your own machine. There is only "factual data" that indicates "you need to change your password now", but none that clearly indicates "you dond't need to change your password".
  
  – Frank Hopkins
  Feb 4 at 15:57
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yes, but it borders on paranoia to state that your password might be compromised right now... no, now... maybe now? how about right now? That's not a proper approach to assess the risk.
  
  – Tom
  Feb 4 at 16:33
  

  
  
  
  

add a comment | 

2

Why not follow the right security practices regardless of any leaks?

Because regularily changing your passwords is not a right security practice. It is a hack and work-around.

The proper security practice would be to change your password whenever you have reasons to believe that it has been compromised. I've had root passwords unchanged for a decade because there was never ever any reason to suspect a compromise has occurred, so it would have been a nonsense to create the cost of a password change (however small) for no reason.

The advise to regularily change passwords is what we use when tracking possibility of compromise becomes difficult or expensive, and regular changing is simpler and cheaper than that. Basically, the reasoning is: "If I don't have a clue about the probability of my password being compromised, I'll just take a statistical average and err on the side of caution".

So when actual evidence - such as havibeenpwned - appears, it is always preferable to use the actual data over any guesstimated heuristics.

---

addendum:

If you search a little, you can find plenty of publications advocating against regular password changes for no good reason. Disclaimer: Some of them are mine. This nonsense might be a common practice, but that a) doesn't make it a good practice and b) still doesn't mean it can hold a candle to actual data.

share|improve this answer

answered Jan 22 at 9:37

TomTom

5,421831

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Isn't the the point though, that neither you nor Troy Hunt does know about all security breaches? You speak about "actual evidence" but Hunt himself quotes the famous "Absence of evidence is not evidence of absence" in his FAQ and goes on with "just because your email address wasn't found here doesn't mean that is hasn't been compromised in another breach."
  
  – Tom K.
  Jan 22 at 10:21
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Absolutely. You can get positive evidence from it, but not negative. The whole problem is that 3rd party websites can be compromised and you'll never know because they hush it up. That is why I have different password policies for my own sites and 3rd party sites.
  
  – Tom
  Jan 22 at 18:50
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Tom his point is likely, that you can never be totally sure your machine/password has not been hacked. Your password might become compromised any minute. So the security cost of not changing your password is never 0. Not changing a password (or rarely) may still be a valid strategy, but the cost is still unknown even if it is your own machine. There is only "factual data" that indicates "you need to change your password now", but none that clearly indicates "you dond't need to change your password".
  
  – Frank Hopkins
  Feb 4 at 15:57
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yes, but it borders on paranoia to state that your password might be compromised right now... no, now... maybe now? how about right now? That's not a proper approach to assess the risk.
  
  – Tom
  Feb 4 at 16:33
  

  
  
  
  

add a comment | 

2

2

2

Why not follow the right security practices regardless of any leaks?

Because regularily changing your passwords is not a right security practice. It is a hack and work-around.

The proper security practice would be to change your password whenever you have reasons to believe that it has been compromised. I've had root passwords unchanged for a decade because there was never ever any reason to suspect a compromise has occurred, so it would have been a nonsense to create the cost of a password change (however small) for no reason.

The advise to regularily change passwords is what we use when tracking possibility of compromise becomes difficult or expensive, and regular changing is simpler and cheaper than that. Basically, the reasoning is: "If I don't have a clue about the probability of my password being compromised, I'll just take a statistical average and err on the side of caution".

So when actual evidence - such as havibeenpwned - appears, it is always preferable to use the actual data over any guesstimated heuristics.

---

addendum:

If you search a little, you can find plenty of publications advocating against regular password changes for no good reason. Disclaimer: Some of them are mine. This nonsense might be a common practice, but that a) doesn't make it a good practice and b) still doesn't mean it can hold a candle to actual data.

share|improve this answer

answered Jan 22 at 9:37

TomTom

5,421831

Why not follow the right security practices regardless of any leaks?

Because regularily changing your passwords is not a right security practice. It is a hack and work-around.

The proper security practice would be to change your password whenever you have reasons to believe that it has been compromised. I've had root passwords unchanged for a decade because there was never ever any reason to suspect a compromise has occurred, so it would have been a nonsense to create the cost of a password change (however small) for no reason.

The advise to regularily change passwords is what we use when tracking possibility of compromise becomes difficult or expensive, and regular changing is simpler and cheaper than that. Basically, the reasoning is: "If I don't have a clue about the probability of my password being compromised, I'll just take a statistical average and err on the side of caution".

So when actual evidence - such as havibeenpwned - appears, it is always preferable to use the actual data over any guesstimated heuristics.

---

addendum:

If you search a little, you can find plenty of publications advocating against regular password changes for no good reason. Disclaimer: Some of them are mine. This nonsense might be a common practice, but that a) doesn't make it a good practice and b) still doesn't mean it can hold a candle to actual data.

share|improve this answer

answered Jan 22 at 9:37

TomTom

5,421831

share|improve this answer

share|improve this answer

answered Jan 22 at 9:37

TomTom

5,421831

answered Jan 22 at 9:37

TomTom

5,421831

answered Jan 22 at 9:37

TomTom

5,421831

5,421831

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Isn't the the point though, that neither you nor Troy Hunt does know about all security breaches? You speak about "actual evidence" but Hunt himself quotes the famous "Absence of evidence is not evidence of absence" in his FAQ and goes on with "just because your email address wasn't found here doesn't mean that is hasn't been compromised in another breach."
  
  – Tom K.
  Jan 22 at 10:21
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Absolutely. You can get positive evidence from it, but not negative. The whole problem is that 3rd party websites can be compromised and you'll never know because they hush it up. That is why I have different password policies for my own sites and 3rd party sites.
  
  – Tom
  Jan 22 at 18:50
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Tom his point is likely, that you can never be totally sure your machine/password has not been hacked. Your password might become compromised any minute. So the security cost of not changing your password is never 0. Not changing a password (or rarely) may still be a valid strategy, but the cost is still unknown even if it is your own machine. There is only "factual data" that indicates "you need to change your password now", but none that clearly indicates "you dond't need to change your password".
  
  – Frank Hopkins
  Feb 4 at 15:57
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yes, but it borders on paranoia to state that your password might be compromised right now... no, now... maybe now? how about right now? That's not a proper approach to assess the risk.
  
  – Tom
  Feb 4 at 16:33
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Isn't the the point though, that neither you nor Troy Hunt does know about all security breaches? You speak about "actual evidence" but Hunt himself quotes the famous "Absence of evidence is not evidence of absence" in his FAQ and goes on with "just because your email address wasn't found here doesn't mean that is hasn't been compromised in another breach."
  
  – Tom K.
  Jan 22 at 10:21
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Absolutely. You can get positive evidence from it, but not negative. The whole problem is that 3rd party websites can be compromised and you'll never know because they hush it up. That is why I have different password policies for my own sites and 3rd party sites.
  
  – Tom
  Jan 22 at 18:50
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Tom his point is likely, that you can never be totally sure your machine/password has not been hacked. Your password might become compromised any minute. So the security cost of not changing your password is never 0. Not changing a password (or rarely) may still be a valid strategy, but the cost is still unknown even if it is your own machine. There is only "factual data" that indicates "you need to change your password now", but none that clearly indicates "you dond't need to change your password".
  
  – Frank Hopkins
  Feb 4 at 15:57
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yes, but it borders on paranoia to state that your password might be compromised right now... no, now... maybe now? how about right now? That's not a proper approach to assess the risk.
  
  – Tom
  Feb 4 at 16:33
  

  
  
  
  

Isn't the the point though, that neither you nor Troy Hunt does know about all security breaches? You speak about "actual evidence" but Hunt himself quotes the famous "Absence of evidence is not evidence of absence" in his FAQ and goes on with "just because your email address wasn't found here doesn't mean that is hasn't been compromised in another breach."

– Tom K.
Jan 22 at 10:21

Isn't the the point though, that neither you nor Troy Hunt does know about all security breaches? You speak about "actual evidence" but Hunt himself quotes the famous "Absence of evidence is not evidence of absence" in his FAQ and goes on with "just because your email address wasn't found here doesn't mean that is hasn't been compromised in another breach."

– Tom K.
Jan 22 at 10:21

Absolutely. You can get positive evidence from it, but not negative. The whole problem is that 3rd party websites can be compromised and you'll never know because they hush it up. That is why I have different password policies for my own sites and 3rd party sites.

– Tom
Jan 22 at 18:50

Absolutely. You can get positive evidence from it, but not negative. The whole problem is that 3rd party websites can be compromised and you'll never know because they hush it up. That is why I have different password policies for my own sites and 3rd party sites.

– Tom
Jan 22 at 18:50

@Tom his point is likely, that you can never be totally sure your machine/password has not been hacked. Your password might become compromised any minute. So the security cost of not changing your password is never 0. Not changing a password (or rarely) may still be a valid strategy, but the cost is still unknown even if it is your own machine. There is only "factual data" that indicates "you need to change your password now", but none that clearly indicates "you dond't need to change your password".

– Frank Hopkins
Feb 4 at 15:57

@Tom his point is likely, that you can never be totally sure your machine/password has not been hacked. Your password might become compromised any minute. So the security cost of not changing your password is never 0. Not changing a password (or rarely) may still be a valid strategy, but the cost is still unknown even if it is your own machine. There is only "factual data" that indicates "you need to change your password now", but none that clearly indicates "you dond't need to change your password".

– Frank Hopkins
Feb 4 at 15:57

Yes, but it borders on paranoia to state that your password might be compromised right now... no, now... maybe now? how about right now? That's not a proper approach to assess the risk.

– Tom
Feb 4 at 16:33

Yes, but it borders on paranoia to state that your password might be compromised right now... no, now... maybe now? how about right now? That's not a proper approach to assess the risk.

– Tom
Feb 4 at 16:33

add a comment | 

1

Changing passwords often can be good practice if you use a password manager. If not, it's a bad idea because you can not remember good passwords that easily.

A minority of people use a password manager. And even if you do use one, I suspect you don't change all your passwords that often. There are services I use once every two or three years. Or that I created an account for but might never use again. Would I go back there and change my password every month?

I have 50+ sites listed in my password manager. Changing all those passwords every month or so would just be to much work.

share|improve this answer

answered Jan 20 at 9:06

AndersAnders

49.4k22143161

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  "And even if you do use one, I suspect you don't change all your passwords that often." indeed - OP only mentions "passwords that matter". The problem that immediately arises is which accounts matter? Assuming unique passwords everywhere, you are safe from credential reuse but not from the information that can be leaked from other services. And any information leaked can be potentially useful. So, you have to change all passwords. But it's too much work, perhaps only the REALLY, really important ones need changing...so following this, you go into a spiral shaped rabbit hole.
  
  – VLAZ
  Jan 21 at 11:16
  

  
  
  
  

add a comment | 

1

Changing passwords often can be good practice if you use a password manager. If not, it's a bad idea because you can not remember good passwords that easily.

A minority of people use a password manager. And even if you do use one, I suspect you don't change all your passwords that often. There are services I use once every two or three years. Or that I created an account for but might never use again. Would I go back there and change my password every month?

I have 50+ sites listed in my password manager. Changing all those passwords every month or so would just be to much work.

share|improve this answer

answered Jan 20 at 9:06

AndersAnders

49.4k22143161

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  "And even if you do use one, I suspect you don't change all your passwords that often." indeed - OP only mentions "passwords that matter". The problem that immediately arises is which accounts matter? Assuming unique passwords everywhere, you are safe from credential reuse but not from the information that can be leaked from other services. And any information leaked can be potentially useful. So, you have to change all passwords. But it's too much work, perhaps only the REALLY, really important ones need changing...so following this, you go into a spiral shaped rabbit hole.
  
  – VLAZ
  Jan 21 at 11:16
  

  
  
  
  

add a comment | 

1

1

1

Changing passwords often can be good practice if you use a password manager. If not, it's a bad idea because you can not remember good passwords that easily.

A minority of people use a password manager. And even if you do use one, I suspect you don't change all your passwords that often. There are services I use once every two or three years. Or that I created an account for but might never use again. Would I go back there and change my password every month?

I have 50+ sites listed in my password manager. Changing all those passwords every month or so would just be to much work.

share|improve this answer

answered Jan 20 at 9:06

AndersAnders

49.4k22143161

Changing passwords often can be good practice if you use a password manager. If not, it's a bad idea because you can not remember good passwords that easily.

A minority of people use a password manager. And even if you do use one, I suspect you don't change all your passwords that often. There are services I use once every two or three years. Or that I created an account for but might never use again. Would I go back there and change my password every month?

I have 50+ sites listed in my password manager. Changing all those passwords every month or so would just be to much work.

share|improve this answer

answered Jan 20 at 9:06

AndersAnders

49.4k22143161

share|improve this answer

share|improve this answer

answered Jan 20 at 9:06

AndersAnders

49.4k22143161

answered Jan 20 at 9:06

AndersAnders

49.4k22143161

answered Jan 20 at 9:06

AndersAnders

49.4k22143161

49.4k22143161

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  "And even if you do use one, I suspect you don't change all your passwords that often." indeed - OP only mentions "passwords that matter". The problem that immediately arises is which accounts matter? Assuming unique passwords everywhere, you are safe from credential reuse but not from the information that can be leaked from other services. And any information leaked can be potentially useful. So, you have to change all passwords. But it's too much work, perhaps only the REALLY, really important ones need changing...so following this, you go into a spiral shaped rabbit hole.
  
  – VLAZ
  Jan 21 at 11:16
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  "And even if you do use one, I suspect you don't change all your passwords that often." indeed - OP only mentions "passwords that matter". The problem that immediately arises is which accounts matter? Assuming unique passwords everywhere, you are safe from credential reuse but not from the information that can be leaked from other services. And any information leaked can be potentially useful. So, you have to change all passwords. But it's too much work, perhaps only the REALLY, really important ones need changing...so following this, you go into a spiral shaped rabbit hole.
  
  – VLAZ
  Jan 21 at 11:16
  

  
  
  
  

"And even if you do use one, I suspect you don't change all your passwords that often." indeed - OP only mentions "passwords that matter". The problem that immediately arises is which accounts matter? Assuming unique passwords everywhere, you are safe from credential reuse but not from the information that can be leaked from other services. And any information leaked can be potentially useful. So, you have to change all passwords. But it's too much work, perhaps only the REALLY, really important ones need changing...so following this, you go into a spiral shaped rabbit hole.

– VLAZ
Jan 21 at 11:16

"And even if you do use one, I suspect you don't change all your passwords that often." indeed - OP only mentions "passwords that matter". The problem that immediately arises is which accounts matter? Assuming unique passwords everywhere, you are safe from credential reuse but not from the information that can be leaked from other services. And any information leaked can be potentially useful. So, you have to change all passwords. But it's too much work, perhaps only the REALLY, really important ones need changing...so following this, you go into a spiral shaped rabbit hole.

– VLAZ
Jan 21 at 11:16

add a comment | 

1

To protect yourself against fraud

There's an alternative consideration I notice people haven't covered, one of which is identity fraud and impersonation of the compromised company, something of which changing a password will not protect you from.

For example, it's common for scammers to harvest leaked information and then pretend to be the company whose information was leaked by using the information they've obtained to convince you they 'legitimately' have access to your information. The ISP TalkTalk often sees scammers phoning up, pretending to be TalkTalk service engineers, regurgitating the stolen information as 'proof' they're authentic.

Likewise, being aware of which companies have had their details stolen allows you to be aware of which vectors scammers will try to use against you. For example, details for Adobe have been stolen, and it's quite possible a scammer could mail people whose accounts were on Adobe, a supposedly 'urgent update' to their Adobe software, that actually maliciously downloads and installs malware. Being aware that information has leaked from Adobe allows you to take additional precautions against that.

An alternative is if leaked information is about an activity you'd rather not have made public; you can then take reasonable steps to have that information scrubbed (such as deleting the account or changing email addresses).

So in summary; you would regularly check to make sure you know what other people (EG scammers, identity fraudsters, blackmailers etc) know about you.

share|improve this answer

answered Jan 21 at 12:02

SSight3SSight3

1492

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I largely disagree with this assertion. If you want to protect against identity fraud, there are more comprehensive services and packages you can buy from financial institutions to safeguard things like your credit and bank accounts.
  
  – Makoto
  Jan 24 at 18:33
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The example I gave was an ISP impersonation, which has nothing to do with financial fraud.
  
  – SSight3
  Jan 27 at 12:20
  

  
  
  
  

add a comment | 

1

To protect yourself against fraud

There's an alternative consideration I notice people haven't covered, one of which is identity fraud and impersonation of the compromised company, something of which changing a password will not protect you from.

For example, it's common for scammers to harvest leaked information and then pretend to be the company whose information was leaked by using the information they've obtained to convince you they 'legitimately' have access to your information. The ISP TalkTalk often sees scammers phoning up, pretending to be TalkTalk service engineers, regurgitating the stolen information as 'proof' they're authentic.

Likewise, being aware of which companies have had their details stolen allows you to be aware of which vectors scammers will try to use against you. For example, details for Adobe have been stolen, and it's quite possible a scammer could mail people whose accounts were on Adobe, a supposedly 'urgent update' to their Adobe software, that actually maliciously downloads and installs malware. Being aware that information has leaked from Adobe allows you to take additional precautions against that.

An alternative is if leaked information is about an activity you'd rather not have made public; you can then take reasonable steps to have that information scrubbed (such as deleting the account or changing email addresses).

So in summary; you would regularly check to make sure you know what other people (EG scammers, identity fraudsters, blackmailers etc) know about you.

share|improve this answer

answered Jan 21 at 12:02

SSight3SSight3

1492

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I largely disagree with this assertion. If you want to protect against identity fraud, there are more comprehensive services and packages you can buy from financial institutions to safeguard things like your credit and bank accounts.
  
  – Makoto
  Jan 24 at 18:33
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The example I gave was an ISP impersonation, which has nothing to do with financial fraud.
  
  – SSight3
  Jan 27 at 12:20
  

  
  
  
  

add a comment | 

1

1

1

To protect yourself against fraud

There's an alternative consideration I notice people haven't covered, one of which is identity fraud and impersonation of the compromised company, something of which changing a password will not protect you from.

For example, it's common for scammers to harvest leaked information and then pretend to be the company whose information was leaked by using the information they've obtained to convince you they 'legitimately' have access to your information. The ISP TalkTalk often sees scammers phoning up, pretending to be TalkTalk service engineers, regurgitating the stolen information as 'proof' they're authentic.

Likewise, being aware of which companies have had their details stolen allows you to be aware of which vectors scammers will try to use against you. For example, details for Adobe have been stolen, and it's quite possible a scammer could mail people whose accounts were on Adobe, a supposedly 'urgent update' to their Adobe software, that actually maliciously downloads and installs malware. Being aware that information has leaked from Adobe allows you to take additional precautions against that.

An alternative is if leaked information is about an activity you'd rather not have made public; you can then take reasonable steps to have that information scrubbed (such as deleting the account or changing email addresses).

So in summary; you would regularly check to make sure you know what other people (EG scammers, identity fraudsters, blackmailers etc) know about you.

share|improve this answer

answered Jan 21 at 12:02

SSight3SSight3

1492

To protect yourself against fraud

There's an alternative consideration I notice people haven't covered, one of which is identity fraud and impersonation of the compromised company, something of which changing a password will not protect you from.

For example, it's common for scammers to harvest leaked information and then pretend to be the company whose information was leaked by using the information they've obtained to convince you they 'legitimately' have access to your information. The ISP TalkTalk often sees scammers phoning up, pretending to be TalkTalk service engineers, regurgitating the stolen information as 'proof' they're authentic.

Likewise, being aware of which companies have had their details stolen allows you to be aware of which vectors scammers will try to use against you. For example, details for Adobe have been stolen, and it's quite possible a scammer could mail people whose accounts were on Adobe, a supposedly 'urgent update' to their Adobe software, that actually maliciously downloads and installs malware. Being aware that information has leaked from Adobe allows you to take additional precautions against that.

An alternative is if leaked information is about an activity you'd rather not have made public; you can then take reasonable steps to have that information scrubbed (such as deleting the account or changing email addresses).

So in summary; you would regularly check to make sure you know what other people (EG scammers, identity fraudsters, blackmailers etc) know about you.

share|improve this answer

answered Jan 21 at 12:02

SSight3SSight3

1492

share|improve this answer

share|improve this answer

answered Jan 21 at 12:02

SSight3SSight3

1492

answered Jan 21 at 12:02

SSight3SSight3

1492

answered Jan 21 at 12:02

SSight3SSight3

1492

1492

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I largely disagree with this assertion. If you want to protect against identity fraud, there are more comprehensive services and packages you can buy from financial institutions to safeguard things like your credit and bank accounts.
  
  – Makoto
  Jan 24 at 18:33
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The example I gave was an ISP impersonation, which has nothing to do with financial fraud.
  
  – SSight3
  Jan 27 at 12:20
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I largely disagree with this assertion. If you want to protect against identity fraud, there are more comprehensive services and packages you can buy from financial institutions to safeguard things like your credit and bank accounts.
  
  – Makoto
  Jan 24 at 18:33
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The example I gave was an ISP impersonation, which has nothing to do with financial fraud.
  
  – SSight3
  Jan 27 at 12:20
  

  
  
  
  

I largely disagree with this assertion. If you want to protect against identity fraud, there are more comprehensive services and packages you can buy from financial institutions to safeguard things like your credit and bank accounts.

– Makoto
Jan 24 at 18:33

I largely disagree with this assertion. If you want to protect against identity fraud, there are more comprehensive services and packages you can buy from financial institutions to safeguard things like your credit and bank accounts.

– Makoto
Jan 24 at 18:33

The example I gave was an ISP impersonation, which has nothing to do with financial fraud.

– SSight3
Jan 27 at 12:20

The example I gave was an ISP impersonation, which has nothing to do with financial fraud.

– SSight3
Jan 27 at 12:20

add a comment | 

0

I will go against the trend here and disagree with the other answers:

You should regularly change your passwords on a service that you do not trust to handle your data securely.

You can also regularly check your password manager for such sites and decide if you really need every one of them. If not: send an email to the service provider and ask for deletion of your account and all affiliated data.

The NIST guidelines that handles password states:

Verifiers SHOULD NOT require memorized secrets^{read: passwords} to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

Collection #1 - which is the reason for the recent buzz around haveibeenpwned.com and Troy Hunt - is an excellent example for the publication of evidence of compromise.

Why? Because it is not a new breach.

Brian Krebs, renowned security expert published a report, that claims, that all the data in there is at least two to three years old. His report furthermore contains this picture from a credible chat with a seller. A screenshot of all the other "Collections" (one through five) and two other huge databases that are sold with the claim, that they are full of working login credentials. All in all a terrabyte of raw data from one seller.

So what does "non-public publication"-age mean in this context? If you have a strong password and it is properly hashed, then no attacker will be able to crack it, no matter how long the password dump has been around. The problem is, a lot of sites do not properly hash your password. And here is where the NIST comes in again. They adapted their guidelines towards changing passwords, because it made no sense in respect to the part of the guideline that handled hashing passwords and storing hashes.

Verifiers SHALL store memorized secrets in a form that is resistant to offline attacks. Memorized secrets SHALL be salted and hashed using a suitable one-way key derivation function.

So what does it all mean?

Conclusion:

1. Premise 1: If a service is storing my password hash securely, arbitrary expiration dates of a password do not make much sense.


2. Premise 2: Hacks happen all the time, only a fraction get noticed and/or publicly disclosed.


3. But if a service does not hash your password properly - and a LOT of services do not do that - expiration dates of passwords do make sense.


4. How do I know which service stores my credentials securely? Some certificates give you some information about it. But even companies that seem very professional from the outside fail hard. Small companies perform very nicely sometimes. It's very hard to tell.


5. If hacks happen all the time, password breaches happen very often as well. As we have seen only a portion of the hacked password databases are searchable on haveibeenpwned.


6. So change your password regularly on sites you do not trust. Again with the caveat that you should use a password manager to avoid password reuse and if possible 2-factor authentification or multi factor authentication.

share|improve this answer

edited Jan 21 at 16:18

answered Jan 21 at 15:33

Tom K.Tom K.

6,55932451

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Expiration dates for poorly secured credentials only make sense for the purposes of protecting your other accounts against credential stuffing. And if you use unique and complex passwords in combination with a password vault, credential stuffing is much less likely to affect you.
  
  – Nzall
  Jan 22 at 13:45
  
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Credential stuffing is not the risk here. It is a) the leakage of data from an affected account and b) the possibility for an attacker to pivot from one account to another through social engineering.
  
  – Tom K.
  Jan 22 at 14:34
  

  
  
  
  

add a comment | 

0

I will go against the trend here and disagree with the other answers:

You should regularly change your passwords on a service that you do not trust to handle your data securely.

You can also regularly check your password manager for such sites and decide if you really need every one of them. If not: send an email to the service provider and ask for deletion of your account and all affiliated data.

The NIST guidelines that handles password states:

Verifiers SHOULD NOT require memorized secrets^{read: passwords} to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

Collection #1 - which is the reason for the recent buzz around haveibeenpwned.com and Troy Hunt - is an excellent example for the publication of evidence of compromise.

Why? Because it is not a new breach.

Brian Krebs, renowned security expert published a report, that claims, that all the data in there is at least two to three years old. His report furthermore contains this picture from a credible chat with a seller. A screenshot of all the other "Collections" (one through five) and two other huge databases that are sold with the claim, that they are full of working login credentials. All in all a terrabyte of raw data from one seller.

So what does "non-public publication"-age mean in this context? If you have a strong password and it is properly hashed, then no attacker will be able to crack it, no matter how long the password dump has been around. The problem is, a lot of sites do not properly hash your password. And here is where the NIST comes in again. They adapted their guidelines towards changing passwords, because it made no sense in respect to the part of the guideline that handled hashing passwords and storing hashes.

Verifiers SHALL store memorized secrets in a form that is resistant to offline attacks. Memorized secrets SHALL be salted and hashed using a suitable one-way key derivation function.

So what does it all mean?

Conclusion:

1. Premise 1: If a service is storing my password hash securely, arbitrary expiration dates of a password do not make much sense.


2. Premise 2: Hacks happen all the time, only a fraction get noticed and/or publicly disclosed.


3. But if a service does not hash your password properly - and a LOT of services do not do that - expiration dates of passwords do make sense.


4. How do I know which service stores my credentials securely? Some certificates give you some information about it. But even companies that seem very professional from the outside fail hard. Small companies perform very nicely sometimes. It's very hard to tell.


5. If hacks happen all the time, password breaches happen very often as well. As we have seen only a portion of the hacked password databases are searchable on haveibeenpwned.


6. So change your password regularly on sites you do not trust. Again with the caveat that you should use a password manager to avoid password reuse and if possible 2-factor authentification or multi factor authentication.

share|improve this answer

edited Jan 21 at 16:18

answered Jan 21 at 15:33

Tom K.Tom K.

6,55932451

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Expiration dates for poorly secured credentials only make sense for the purposes of protecting your other accounts against credential stuffing. And if you use unique and complex passwords in combination with a password vault, credential stuffing is much less likely to affect you.
  
  – Nzall
  Jan 22 at 13:45
  
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Credential stuffing is not the risk here. It is a) the leakage of data from an affected account and b) the possibility for an attacker to pivot from one account to another through social engineering.
  
  – Tom K.
  Jan 22 at 14:34
  

  
  
  
  

add a comment | 

0

0

0

I will go against the trend here and disagree with the other answers:

You should regularly change your passwords on a service that you do not trust to handle your data securely.

You can also regularly check your password manager for such sites and decide if you really need every one of them. If not: send an email to the service provider and ask for deletion of your account and all affiliated data.

The NIST guidelines that handles password states:

Verifiers SHOULD NOT require memorized secrets^{read: passwords} to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

Collection #1 - which is the reason for the recent buzz around haveibeenpwned.com and Troy Hunt - is an excellent example for the publication of evidence of compromise.

Why? Because it is not a new breach.

Brian Krebs, renowned security expert published a report, that claims, that all the data in there is at least two to three years old. His report furthermore contains this picture from a credible chat with a seller. A screenshot of all the other "Collections" (one through five) and two other huge databases that are sold with the claim, that they are full of working login credentials. All in all a terrabyte of raw data from one seller.

So what does "non-public publication"-age mean in this context? If you have a strong password and it is properly hashed, then no attacker will be able to crack it, no matter how long the password dump has been around. The problem is, a lot of sites do not properly hash your password. And here is where the NIST comes in again. They adapted their guidelines towards changing passwords, because it made no sense in respect to the part of the guideline that handled hashing passwords and storing hashes.

Verifiers SHALL store memorized secrets in a form that is resistant to offline attacks. Memorized secrets SHALL be salted and hashed using a suitable one-way key derivation function.

So what does it all mean?

Conclusion:

1. Premise 1: If a service is storing my password hash securely, arbitrary expiration dates of a password do not make much sense.


2. Premise 2: Hacks happen all the time, only a fraction get noticed and/or publicly disclosed.


3. But if a service does not hash your password properly - and a LOT of services do not do that - expiration dates of passwords do make sense.


4. How do I know which service stores my credentials securely? Some certificates give you some information about it. But even companies that seem very professional from the outside fail hard. Small companies perform very nicely sometimes. It's very hard to tell.


5. If hacks happen all the time, password breaches happen very often as well. As we have seen only a portion of the hacked password databases are searchable on haveibeenpwned.


6. So change your password regularly on sites you do not trust. Again with the caveat that you should use a password manager to avoid password reuse and if possible 2-factor authentification or multi factor authentication.

share|improve this answer

edited Jan 21 at 16:18

answered Jan 21 at 15:33

Tom K.Tom K.

6,55932451

I will go against the trend here and disagree with the other answers:

You should regularly change your passwords on a service that you do not trust to handle your data securely.

You can also regularly check your password manager for such sites and decide if you really need every one of them. If not: send an email to the service provider and ask for deletion of your account and all affiliated data.

The NIST guidelines that handles password states:

Verifiers SHOULD NOT require memorized secrets^{read: passwords} to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

Collection #1 - which is the reason for the recent buzz around haveibeenpwned.com and Troy Hunt - is an excellent example for the publication of evidence of compromise.

Why? Because it is not a new breach.

Brian Krebs, renowned security expert published a report, that claims, that all the data in there is at least two to three years old. His report furthermore contains this picture from a credible chat with a seller. A screenshot of all the other "Collections" (one through five) and two other huge databases that are sold with the claim, that they are full of working login credentials. All in all a terrabyte of raw data from one seller.

So what does "non-public publication"-age mean in this context? If you have a strong password and it is properly hashed, then no attacker will be able to crack it, no matter how long the password dump has been around. The problem is, a lot of sites do not properly hash your password. And here is where the NIST comes in again. They adapted their guidelines towards changing passwords, because it made no sense in respect to the part of the guideline that handled hashing passwords and storing hashes.

Verifiers SHALL store memorized secrets in a form that is resistant to offline attacks. Memorized secrets SHALL be salted and hashed using a suitable one-way key derivation function.

So what does it all mean?

Conclusion:

1. Premise 1: If a service is storing my password hash securely, arbitrary expiration dates of a password do not make much sense.


2. Premise 2: Hacks happen all the time, only a fraction get noticed and/or publicly disclosed.


3. But if a service does not hash your password properly - and a LOT of services do not do that - expiration dates of passwords do make sense.


4. How do I know which service stores my credentials securely? Some certificates give you some information about it. But even companies that seem very professional from the outside fail hard. Small companies perform very nicely sometimes. It's very hard to tell.


5. If hacks happen all the time, password breaches happen very often as well. As we have seen only a portion of the hacked password databases are searchable on haveibeenpwned.


6. So change your password regularly on sites you do not trust. Again with the caveat that you should use a password manager to avoid password reuse and if possible 2-factor authentification or multi factor authentication.

share|improve this answer

edited Jan 21 at 16:18

answered Jan 21 at 15:33

Tom K.Tom K.

6,55932451

share|improve this answer

share|improve this answer

edited Jan 21 at 16:18

edited Jan 21 at 16:18

edited Jan 21 at 16:18

answered Jan 21 at 15:33

Tom K.Tom K.

6,55932451

answered Jan 21 at 15:33

Tom K.Tom K.

6,55932451

answered Jan 21 at 15:33

Tom K.Tom K.

6,55932451

6,55932451

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Expiration dates for poorly secured credentials only make sense for the purposes of protecting your other accounts against credential stuffing. And if you use unique and complex passwords in combination with a password vault, credential stuffing is much less likely to affect you.
  
  – Nzall
  Jan 22 at 13:45
  
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Credential stuffing is not the risk here. It is a) the leakage of data from an affected account and b) the possibility for an attacker to pivot from one account to another through social engineering.
  
  – Tom K.
  Jan 22 at 14:34
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Expiration dates for poorly secured credentials only make sense for the purposes of protecting your other accounts against credential stuffing. And if you use unique and complex passwords in combination with a password vault, credential stuffing is much less likely to affect you.
  
  – Nzall
  Jan 22 at 13:45
  
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Credential stuffing is not the risk here. It is a) the leakage of data from an affected account and b) the possibility for an attacker to pivot from one account to another through social engineering.
  
  – Tom K.
  Jan 22 at 14:34
  

  
  
  
  

Expiration dates for poorly secured credentials only make sense for the purposes of protecting your other accounts against credential stuffing. And if you use unique and complex passwords in combination with a password vault, credential stuffing is much less likely to affect you.

– Nzall
Jan 22 at 13:45

Expiration dates for poorly secured credentials only make sense for the purposes of protecting your other accounts against credential stuffing. And if you use unique and complex passwords in combination with a password vault, credential stuffing is much less likely to affect you.

– Nzall
Jan 22 at 13:45

1

1

Credential stuffing is not the risk here. It is a) the leakage of data from an affected account and b) the possibility for an attacker to pivot from one account to another through social engineering.

– Tom K.
Jan 22 at 14:34

Credential stuffing is not the risk here. It is a) the leakage of data from an affected account and b) the possibility for an attacker to pivot from one account to another through social engineering.

– Tom K.
Jan 22 at 14:34

add a comment | 

Thanks for contributing an answer to Information Security Stack Exchange!

• Please be sure to answer the question. Provide details and share your research!

But avoid …

• Asking for help, clarification, or responding to other answers.


• Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Thanks for contributing an answer to Information Security Stack Exchange!

• Please be sure to answer the question. Provide details and share your research!

But avoid …

• Asking for help, clarification, or responding to other answers.


• Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f201788%2fwhy-check-your-email-in-haveibeenpwned-rather-than-regularly-changing-your-passw%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

Name

Name

Email

Required, but never shown

Email

Required, but never shown

Email

Required, but never shown

Email

Required, but never shown

Name

Name

Email

Required, but never shown

Email

Required, but never shown

Email

Required, but never shown

Email

Required, but never shown

This page is only for reference, If you need detailed information, please check here