It’s a security feature introduced in many password managers, including the one I use, LastPass.
“At risk” can mean any of several different things. What you do next? Well, it depends.
Become a Patron of Ask Leo! and go ad-free!
Password At Risk
Password vaults report a password at risk if it’s been discovered in a breach, if you’re using a password for more than one service, or if you have duplicate entries for the same service. It’s important to not use discovered passwords and to use unique passwords everywhere. If you need to, begin a project to change and strengthen your passwords.
Let’s look at the three most common reasons your password vault assesses a password as at risk: breaches, repeated passwords, and duplicate entries.
Your password’s in a breach
Regardless of how good your password might be, if it was discovered in a breach, you should stop using it.
I mean that literally. Even if your password was 40 random characters — say 97Kkhfu3q62Am3KMZ47nmAuNbGH7j5UsGNuKFjn2 — but was exposed in a breach, you should stop using it.
Once in a breach, hackers will now include that password in their list of “passwords we know are being used somewhere, so we’ll try them everywhere.” When “everywhere” gets around to the service you used it at, your account could be compromised.
Change that password.
You’re re-using passwords
If the same password shows up in multiple entries in your password vault, then you’re reusing that password on different services. Stop that.
Once again, it doesn’t matter how good a password is. If you’re using 97Kkhfu3q62Am3KMZ47nmAuNbGH7j5UsGNuKFjn2 on more than one service, change it in enough places that you’re using it in only one.
The #1 way that accounts appear to be compromised of late is due to password reuse. Hackers discover a password, include it in their list of “password we know are being used somewhere, so we’ll try them everywhere.” For you, “everywhere” means any of the several different services where you happened to use it. Any or all of those accounts could be compromised.
Stop re-using passwords.
There are duplicate entries in your password manager
OK, I lied above. It’s not completely true that “If the same password shows up in multiple entries in your password vault, then you’re reusing that password on different services.”
Sometimes duplicate entries create get created for the same site. Though it shouldn’t be frequent, there are a variety of reasons this can happen.
When it does, it’s not “at risk” at all.
All you can really do is look at the duplicate entries and see if you need all of them. Delete some or just ignore the warning for that specific site.1
How quickly do you need to act?
Six hundred “at risk” passwords is a lot. Aside from the duplicate entries issue, in theory, yes, you should change them all, or at least resolve whatever issue indicated.
In practice… no way.
Just… no. Not all of them, and not right away.
I have many reported in mine as well. What I do varies based on the importance of the account and my own convenience.
For me, that generally means:
- Change anything you consider important as quickly as you can. Banks, critical email accounts, perhaps social media accounts, and the like.
- As you use them, change any that have re-used passwords as time permits.
- As you use them, change any reported in breaches as time permits.
- Change anything else that needs changing or cleaning up as time permits.
And yes, “as time permits” could take months or longer for 600 passwords. Just prioritize what’s important.
The most important takeaways from this are:
- Keep using strong passwords.
- Keep using unique passwords to every site.
My guess is that with 600+ “at risk” passwords, you’ve been re-using ’em. That’s a habit to break.
Here’s a habit to make instead: Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Download (right-click, Save-As) (Duration: 5:09 — 7.2MB)
Footnotes & References
1: That’s the situation I’m sometimes in when the vault entries for a website and its corresponding mobile app have separate entries. Oh well.
10 comments on “Why Is My Password Manager Telling Me I Have a Password at Risk?”
OH COME ON! 600 passwords?
Makes sense to me. I have hundreds myself. You don’t know how he uses the internet or what his needs might entail.
After reading this article, I checked LastPass and found I have about 250 passwords. I was able to delete 50 I don’t use anymore. Password managers keep passwords forever until you delete them, so it’s not inconceivable to have hundreds.
I’m using Bitwarden and am the administrator for the family organization. I haven’t looked to see if Bitwarden does this, but I’ve gotten into the habit of going into the vaults and looking for things such as duplicate entries and weak passwords using the tools provided.
One feature of Bitwarden is that I can add a URL to a pass card, as well as the main URL. If I’m using the Bitwarden app on my phone to log into a service, I can add the app URL to the entry in my vault, cutting down on the number of duplicates.
Depending upon how someone is using a password manager, having 600 at-risk passwords isn’t implausible. If one is acting as the family IT expert, there can be as many as 5 people in the organization. There 3 in mine and just counting the shared entries, I’ve got 220. And that’s not counting the personal vaults.
But if a password is protected by a 2FA, a breach shouldn’t be a problem
Am I wrong?
In theory you are not wrong. I would change the password anyway.
(Reply button still not working, so I’m going to stick this at the end.) I just checked: I have currently have 611 entries in my password manager.
Also . . . based on the password list of someone I know, it is sadly plausible that a person could have an entire database of sucky passwords. :(
Did you try to convince them of the danger. Show them this article:
How Do I Choose a Good Password?
Lastpass is going to lose a customer (paid) if they don’t correct the “password at risk” situation ..There are many times that I might use a duplicate password that does not compromise security.. Very annoying nag .
Seems like an easy thing to ignore. I know I do.