It’s a security feature introduced in many password managers, including the one I use, LastPass.
“At risk” can mean any of several different things. What you do next? Well, it depends.
Become a Patron of Ask Leo! and go ad-free!
Password At Risk
Password vaults report a password at risk if it’s been discovered in a breach, if you’re using a password for more than one service, or if you have duplicate entries for the same service. It’s important to not use discovered passwords and to use unique passwords everywhere. If you need to, begin a project to change and strengthen your passwords.
Let’s look at the three most common reasons your password vault assesses a password as at risk: breaches, repeated passwords, and duplicate entries.
Your password’s in a breach
Regardless of how good your password might be, if it was discovered in a breach, you should stop using it.
I mean that literally. Even if your password was 40 random characters — say 97Kkhfu3q62Am3KMZ47nmAuNbGH7j5UsGNuKFjn2 — but was exposed in a breach, you should stop using it.
Once in a breach, hackers will now include that password in their list of “passwords we know are being used somewhere, so we’ll try them everywhere.” When “everywhere” gets around to the service you used it at, your account could be compromised.
Change that password.
You’re re-using passwords
If the same password shows up in multiple entries in your password vault, then you’re reusing that password on different services. Stop that.
Once again, it doesn’t matter how good a password is. If you’re using 97Kkhfu3q62Am3KMZ47nmAuNbGH7j5UsGNuKFjn2 on more than one service, change it in enough places that you’re using it in only one.
The #1 way that accounts appear to be compromised of late is due to password reuse. Hackers discover a password, include it in their list of “password we know are being used somewhere, so we’ll try them everywhere.” For you, “everywhere” means any of the several different services where you happened to use it. Any or all of those accounts could be compromised.
Stop re-using passwords.
There are duplicate entries in your password manager
OK, I lied above. It’s not completely true that “If the same password shows up in multiple entries in your password vault, then you’re reusing that password on different services.”
Sometimes duplicate entries create get created for the same site. Though it shouldn’t be frequent, there are a variety of reasons this can happen.
When it does, it’s not “at risk” at all.
All you can really do is look at the duplicate entries and see if you need all of them. Delete some or just ignore the warning for that specific site.1
How quickly do you need to act?
Six hundred “at risk” passwords is a lot. Aside from the duplicate entries issue, in theory, yes, you should change them all, or at least resolve whatever issue indicated.
In practice… no way.
Just… no. Not all of them, and not right away.
I have many reported in mine as well. What I do varies based on the importance of the account and my own convenience.
For me, that generally means:
- Change anything you consider important as quickly as you can. Banks, critical email accounts, perhaps social media accounts, and the like.
- As you use them, change any that have re-used passwords as time permits.
- As you use them, change any reported in breaches as time permits.
- Change anything else that needs changing or cleaning up as time permits.
And yes, “as time permits” could take months or longer for 600 passwords. Just prioritize what’s important.
The most important takeaways from this are:
My guess is that with 600+ “at risk” passwords, you’ve been re-using ’em. That’s a habit to break.
Here’s a habit to make instead: Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Footnotes & References
1: That’s the situation I’m sometimes in when the vault entries for a website and its corresponding mobile app have separate entries. Oh well.