Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

I’m Told to Change My Password. Why?

Is your password loose “in the wild”?

Password Entry
(Image: canva.com)
If you've been told to change your password, do so, but do so in the right way. I'll explain what that means and why it's important.
Question: Should I be worried if I’m told I should change my password by a device or service? They said my password is compromised and was in a data leak.

Change your password right now. If the notice came via email, don’t click any links therein.

Then come back here to understand why.

There are two different scenarios that could be at play here: one very serious, and one not as serious but still important. And of course there are scams, which are also important to sidestep.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

I'm told to change my password

If you’re told to change your password by your device or by a service you use, it’s important that you do so. The password may be “in the wild” and available for hackers to try against your specific account or in attempts to hack into other accounts you and/or others may have. How it was exposed may not even be related to you, but it’s important to act on the notification anyway.

Direct compromise

The most serious scenario is that the service telling you to change your password has been compromised. Normally they force a password reset, but some simply advise you to do so as soon as you can.

It’s critical that you do so.

There are two likely scenarios:

  1. The service was breached and actual passwords were part of the breach. This means that the password you used is now “in the wild” and could be used by hackers to hijack your account.
  2. The service was breached, and while no passwords were exposed, the service is recommending password changes out of caution.

In either case, change your password.

Do this by going to the service online yourself — either typing in the URL or using your own bookmark — signing in, and following their password-change procedure. Do not click on a link in an email to get there.

Indirect compromise

Many security products, and even devices and operating systems, keep track of the passwords you enter and check them1 against databases of passwords that have been previously exposed.

Let’s say you use the password “FunTimes1945” on some service somewhere. You may be told that this password has been exposed in a data breach and you should change it.

Here’s the thing: It might not be your account or your usage of the password that was exposed. Someone else may have used the exact same password on some service somewhere else that was breached.

Regardless, that password is now “in the wild”, and hackers will try it with other usernames, possibly including yours, at services all over the internet, possibly including services you use.

You should change that password wherever you use it.

Once again, do this by going to the service online yourself — either typing in the URL or using your own bookmark — signing in, and following their password-change procedure.

Fake compromise

Hackers know that many people live in fear of their accounts being hacked. They prey on this fear by sending fake compromise notifications to get you to click on their links to fake sites so they can capture your sign-in information.

  • You get an email informing you that your password on service X has been compromised, and you should change it.
  • The email includes a link to service X to change your password.
  • You click that link and go to service X’s sign-in page.
  • You sign in with your existing password, expecting to then change that password.
  • You’ve just handed your sign-in credentials to a hacker.

The issue is that the link provided is not to the service at all, but to a fake sign-in page that looks like the service.

This is why I’ve repeated above the importance of not clicking the link provided in email notifications, but going to the service yourself by typing in the URL or using your own bookmark. That way, you know you’re signing in to the service you think you are.

No compromise?

What if it was a fake? What if you followed my instructions above, went to the service yourself, successfully avoiding the phishing attempt, and changed your password when you didn’t really need to?

So what?

There’s no harm in changing your password when you don’t really need to. The reverse is not true: there is definitely potential harm if you need to change your password and don’t.

Do this

When in doubt, change your password.

While you’re at it, make it long, strong, unique, and used for one and only one service.

After doing so, subscribe to Confident Computing, my weekly newsletter helping you reduce frustration and gain confidence by providing solutions, answers, and tips in your inbox every week.

Podcast audio

Play

Footnotes & References

1: In a secure manner using only hashes.

8 comments on “I’m Told to Change My Password. Why?”

  1. Thank-you Leo A. Notenboom, for your informative articles and insights regarding today’s technology and tomorrow’s wisdom and discernment.

    Reply
  2. Hi, Leo.
    Good on ya for trying to enlighten people about this “must change password” scam.

    The pic at the top of the article is good. Maybe in the one at the bottom (the one with your smiling face), you might wanna change the graphic to show an XXXX password that is, instead XXXXXXXXXXXX……suggesting that BETTER passwords are TWELVE characters in length, not FOUR.
    I know, you DID say “long, strong” and all that, you know what they say about pictures being worth 1000 words. :-)

    Reply
  3. To secure all my passwords I use LastPass AND the Microsoft Authenticator (2FA). I NEVER click ANY link in ANY email or Internet website unless I check the URL it will take me to. It is easy to check the URL, just hover your mouse-pointer over the link and the URL should be displayed either in a pop-up dialog or on the status bar at the bottom of the window. When I check a URL, I check that the first part from “https://” to the first slash (/) character is consistent with what I see in the link’s label, that there is no “redirect” command in the body of the URL (after the first part mentioned above), and that the URL is comprehensible (does not look like some kind of mysterious code). If I have ANY doubt about the link, or the URL is NOT displayed, I DO NOT CLICK THE LINK! Instead (assuming I still want to go to the website), I enter the site’s URL into my browser’s address bar, click a bookmark in my browse to the site, or use my web browser’s search engine to search for the website and click the URL provided in the search results (If I can trust my web browser, I can trust it’s search results). With practice, my procedure takes only a few moments and defeats (for the most part) any social engineering attempts.

    We all receive emails that come from known sources (newsletters, friends/associates, businesses, etc.). I check any URL in those emails too because you can never know if the message is a fake, especially if the email appears to come from a large business you have interacted with (e.g.: Amazon, etc.), a popular site/service many use regularly (Twitter, Facebook, etc.), or if a friend’s email/computer has been hacked (or more commonly, the friend’s email address has been spoofed). If an email message comes from an unknow source, I delete it. If it was not a fake and the sender needs to contact me, they can send me a hardcopy message via USPS.

    I have my email addresses registered with the ‘Have I been Pwned?’ (https://haveibeenpwned.com/) website so I get notifications when/if any of them appears in a data breach. Wen/If I receive such a notification, I change my password for that email account IMMEDIATELY.

    I have developed these measures over my years of using the Internet (since about my Windows 95 days) and they have kept me safe. I have had to change my gmail password twice since I’ve had it, but I’d much prefer to change my password than to risk having some cracker (black-hat hacker) steal my account.

    These are the measures I use to remain safe on the Internet and when using email. I hope this helps someone,

    Ernie

    Reply
  4. Hi Leo,
    I appreciate your information. But this one indirectly backfired on me. I read that you use LastPass & knew it must be the best. So I called & signed up for the premier edition. I am a computer illiterate & knew I couldn’t do this on my own. So I called, signed up & got a helpful tech who got me started, but before she could get me on, my AT&T phone went out & the instillation was not completed.
    This caused a big problem: noting worked, none of my Firefox password would work & I am losing a lot of important information; for 4days I have tried to contact Lastpass by phone & email continuously to get started again with absolutely no results.
    Do you know a way to contact them, or could you use your influence to get them to just call me. I am 96years old & president of two non-profits (one an international) & Lay-leader for the Methodist Church. Anything you could suggest or help me to get on with our business will be great.y appreciated.
    LastPass may be a good company, but to last they have got to treat there customers right…that’s where the money comes from.
    Thank you for all the good work you do,
    {personal information removed — do not post personal information publicly}

    Reply
    • I didn’t think they HAD anyone you COULD call. Are you absolutely certain it was LastPass you called?
      Unfortunately I have little to no influence here, I’m afraid.

      Reply
  5. I have a supplier’s website which “for security” insisted that I change my password every six weeks. On average, we place an order every two months, so every time I visited the site I had to go through the rigmarole of changing password. Why? Anything we order goes to our registered address; money is not paid online but invoiced and paid later by direct debit. I can’t see any way that we, or they, could be cheated if the password was misused. I suspect an overzealous IT department applying the same rules indiscriminately to staff and customers.

    It doesn’t really matter now, as I can’t log in. Six months ago something glitched and it refused to accept either my old or my new passwords. So I have to order by telephone, and waste a couple of minutes listening to a recorded message saying how easy it is to order online. I can’t get hold of anyone who can sort it out, so I’m probably going to have to find another supplier.

    Reply
    • I never understood why these industrial suppliers require a password just to order some material. Our non-profit orders some light construction materials and an oddball tool or two through a small supplier once every couple of months and they force us to make a new password every time I need to order something. Like you, our online orders don’t involve any sort of online financial transaction. They ship us the order and then send an invoice through the mail. Our Treasurer then cuts a check and mails it back to them (we’re really old school!) They are a good supplier and sell material I can’t find elsewhere so we continue to use them. The password thing isn’t real serious, but it’s a minor pain in the neck. I complained to the sales rep once and she apologized profusely, but their company outsources their IT so they are stuck with the process.

      Reply
  6. When resetting my password with my Gmail using recovery method but why is my reset link delayed a few hours and also why it kept saying that they are unable to recover my account and not get the reset link? Why is link reset delay and why the denial of Google letting me reset my password after requesting the reset link after a few hours?

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.