Hackers keep track of your passwords if they find ’em.
A reader recently commented:
You don’t need a password-strength tester.
You should, however, use a password-found tester. And while it’s not “some random website”, there is a website I suggest you use.
Become a Patron of Ask Leo! and go ad-free!
Don't reuse passwords
Hackers use passwords discovered in a breach against other accounts associated with your user ID or email. They also use collections of previously discovered passwords in brute-force attacks. Any password ever used by anyone, however strong, if discovered in a breach, is no longer a secure password. Use unique, long, strong passwords, ideally random, and enable two-factor authentication on all accounts that support it.
Strong passwords are easy. If you’re using a password vault, use its password generator to generate passwords of at least 12 (I use 20) random characters.
Something like rGyk2fhfQAtAzoejLZFF. Or gzmkuRUgyhqY. That style of password is quite secure — as secure as it gets, as a matter of fact. And I didn’t even bother to use special characters. No strength testing needed.
Use a password manager to save your passwords, and it doesn’t matter that you can’t possibly remember them.
Reused passwords #1
It turns out that using the same password at multiple different sites is probably the single most risky thing you can do,1 no matter how secure the password itself might be.
Let’s say you use the same nicely secure password — rGyk2fhfQAtAzoejLZFF — at service A and also unrelated service B.
Service A gets hacked. Not your fault; nothing you could have done about it; but it happened. What’s worse, service A did an even worse job than we thought with security: they stored passwords in a way that the hacker was able to recover the actual passwords. The hacker now has rGyk2fhfQAtAzoejLZFF as the password for your account, along with your email address, which is commonly exposed in breaches like this.
The hacker starts trying your email address and password at all sorts of other common services in case you happen to have accounts there.
Eventually they reach service B, and when they try to sign in as you, it works, since you used the same password there as you did at service A. Security measures at service B never came into play because it was never hacked. The hacker simply signed in as you with your username and password: the password they had discovered somewhere else.
This happens all the time.
Reused passwords #2
This is a variation on the theme, but it’s a variation that’s not obvious. So far we’ve focussed on making sure two or more services don’t use the same password at the same time. It’s worse than that. Even if you use a password in one and only one location, even if you later change it, you should never use that original password ever again.
Let’s say you have a nicely secure password — 9Fotvb7fb2J4BbEAFKk4 — at service A and only service A.
Service A gets hacked. Once again, it’s not your fault. Once again, service A’s security was poor, and they stored passwords in a way that the hackers could get them. The hacker now has 9Fotvb7fb2J4BbEAFKk4 as the password for your account, along with your email address.
Service A has been hacked, but only service A. The hackers try your email address and password at other services, but it gets them nothing. You used it in only one place. Good on you.
Now never use that password again. Ever.
Something else happens when hackers discover account passwords: they save them. They build a list of all the passwords they’ve ever discovered anywhere.
And they use that list in the first volley of brute force attacks in the future.
We think of brute force attacks as trying all possible passwords, but a more effective hacking strategy is to try all previously discovered passwords first. Why? Because people insist on reusing passwords. If not right away, then eventually.
What this means is that once you’ve used a password, you should never, ever use it again, anywhere else, for all time.
One and done.
You can check
Dream up a password that doesn’t follow our rules above: something that would clearly be a poor password. I’ll choose pinkducky.
The image above shows the result of entering pinkducky at Pwned Passwords, a service of Have I Been Pwned. Pinkducky has been discovered 83 times across the breaches Have I Been Pwned is aware of. Maybe don’t use that as a password.
Yes, I entered the password on a “random” website. I just don’t consider it random; it has a great reputation and does all the tech right. Your actual password isn’t really uploaded, and anonymity is preserved (you can read more on the site about how this is accomplished if you’re so inclined).
Here’s the thing: any password you’ve ever used could be on the list, particularly if you’ve not been using a technique like the “12 random characters” approach I used above. Even if you have been using long/strong passwords, if that password was ever discovered by hackers, it could be on their list to start trying.
So even if you think you’re properly obfuscating (0bF45c4T1ng) your passwords, you might want to check them with Pwned Passwords.2 If anyone anywhere just happened to use the same password, and that password was breached, you could be setting yourself up for a problem eventually.
Two factor helps a lot
Passwords are kind of a mess. I definitely prefer the 20-random-character method for new passwords, but changing old passwords, compromised or not, is a big job. My last password vault backup had over 1,000 entries.3
The good news is that an account protected with two-factor authentication is still reasonably secure, even if the password is weak or even known. As I’ve said elsewhere, even if they know your password, with two-factor authentication enabled they still can’t get into your account.
Enable two-factor authentication on all accounts that support it. While you’re there doing that, change any weak or reused passwords.
Stop reusing passwords, including passwords you used once but aren’t using currently. Always start with brand-new passwords. (Ideally, use the random-character method, but I know not everyone will. Just make sure your password is long and strong.)
Consider using Pwned Passwords as an extra layer of detection of whether or not your password is already known in the wild. If it is, stop using it. Period.
Also, subscribe to Confident Computing! It’s my weekly newsletter with less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Footnotes & References
1: Well, aside from posting your password publicly, or giving it to someone you shouldn’t, I suppose.
2: To be clear, Pwned Passwords is not a canonical list. Hackers may have longer, more extensive lists that haven’t been discovered yet. But it’s what we have available to us.
3: I’m probably exceptional in this regard, but I’d expect most people to have over 100 accounts.