Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Why Is My Password Manager Telling Me I Have a Password at Risk?

Because security.

It's an important security feature, but it can also flag some false positives.
Passwords at Risk in Lastpass
Passwords at risk in LastPass. (Screenshot: askleo.com)
Question: My password vault recently started telling me that I have 600(!) passwords “at risk”. What does that mean? Do I have to change 600 passwords?

It’s a security feature introduced in many password managers, including the one I use, LastPass.

“At risk” can mean any of several different things. What you do next? Well, it depends.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

Password At Risk

Password vaults report a password at risk if it’s been discovered in a breach, if you’re using a password for more than one service, or if you have duplicate entries for the same service. It’s important to not use discovered passwords and to use unique passwords everywhere. If you need to, begin a project to change and strengthen your passwords.

Let’s look at the three most common reasons your password vault assesses a password as at risk: breaches, repeated passwords, and duplicate entries.

Your password’s in a breach

Regardless of how good your password might be, if it was discovered in a breach, you should stop using it.

I mean that literally. Even if your password was 40 random characters — say 97Kkhfu3q62Am3KMZ47nmAuNbGH7j5UsGNuKFjn2 — but was exposed in a breach, you should stop using it.

Once in a breach, hackers will now include that password in their list of “passwords we know are being used somewhere, so we’ll try them everywhere.” When “everywhere” gets around to the service you used it at, your account could be compromised.

Change that password.

You’re re-using passwords

If the same password shows up in multiple entries in your password vault, then you’re reusing that password on different services. Stop that.

Once again, it doesn’t matter how good a password is. If you’re using 97Kkhfu3q62Am3KMZ47nmAuNbGH7j5UsGNuKFjn2 on more than one service, change it in enough places that you’re using it in only one.

The #1 way that accounts appear to be compromised of late is due to password reuse. Hackers discover a password, include it in their list of “password we know are being used somewhere, so we’ll try them everywhere.” For you, “everywhere” means any of the several different services where you happened to use it. Any or all of those accounts could be compromised.

Stop re-using passwords.

There are duplicate entries in your password manager

OK, I lied above. It’s not completely true that “If the same password shows up in multiple entries in your password vault, then you’re reusing that password on different services.”

Sometimes duplicate entries create get created for the same site. Though it shouldn’t be frequent, there are a variety of reasons this can happen.

When it does, it’s not “at risk” at all.

All you can really do is look at the duplicate entries and see if you need all of them. Delete some or just ignore the warning for that specific site.1

How quickly do you need to act?

Six hundred “at risk” passwords is a lot. Aside from the duplicate entries issue, in theory, yes, you should change them all, or at least resolve whatever issue indicated.

In practice… no way.

Just… no. Not all of them, and not right away.

I have many reported in mine as well. What I do varies based on the importance of the account and my own convenience.

For me, that generally means:

  • Change anything you consider important as quickly as you can. Banks, critical email accounts, perhaps social media accounts, and the like.
  • As you use them, change any that have re-used passwords as time permits.
  • As you use them, change any reported in breaches as time permits.
  • Change anything else that needs changing or cleaning up as time permits.

And yes, “as time permits” could take months or longer for 600 passwords. Just prioritize what’s important.

Do this

The most important takeaways from this are:

My guess is that with 600+ “at risk” passwords, you’ve been re-using ’em. That’s a habit to break.

Here’s a habit to make instead: Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

Podcast audio

Play

Footnotes & References

1: That’s the situation I’m sometimes in when the vault entries for a website and its corresponding mobile app have separate entries. Oh well.

10 comments on “Why Is My Password Manager Telling Me I Have a Password at Risk?”

  1. I’m using Bitwarden and am the administrator for the family organization. I haven’t looked to see if Bitwarden does this, but I’ve gotten into the habit of going into the vaults and looking for things such as duplicate entries and weak passwords using the tools provided.
    One feature of Bitwarden is that I can add a URL to a pass card, as well as the main URL. If I’m using the Bitwarden app on my phone to log into a service, I can add the app URL to the entry in my vault, cutting down on the number of duplicates.
    Depending upon how someone is using a password manager, having 600 at-risk passwords isn’t implausible. If one is acting as the family IT expert, there can be as many as 5 people in the organization. There 3 in mine and just counting the shared entries, I’ve got 220. And that’s not counting the personal vaults.

    Reply
  2. (Reply button still not working, so I’m going to stick this at the end.) I just checked: I have currently have 611 entries in my password manager.

    Also . . . based on the password list of someone I know, it is sadly plausible that a person could have an entire database of sucky passwords. :(

    Reply
  3. Lastpass is going to lose a customer (paid) if they don’t correct the “password at risk” situation ..There are many times that I might use a duplicate password that does not compromise security.. Very annoying nag .

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.