Your password was breached. Now what?

Data breaches, and in particular those including personal passwords for websites or apps, are evergreen news stories that repeat themselves like an Advent calendar for cybersecurity failures. Although these breaches are a regular phenomena, they are trailed by a long, drawn-out window of time where other attackers use breached data to log in to affected accounts.

To minimize risk in that window of time, you should change your password with the breached service as soon as you reasonably can. While you’re at it, it may be good to check for other breaches that affect your accounts. Using security researcher Troy Hunt's haveibeenpwned.com, you can enter the email addresses you’ve used to register online accounts, and see other sites and services where you should consider changing your password.

Many websites and apps need to be able to know what your password is in order to verify that you’re the one logging in and not someone pretending to be you. As a result, they have to store your username and password. Typically, your password will live in a database containing the passwords of every user for that service. This makes it a valuable target for an attacker and, because of that, industry standards and guidelines aim to make it difficult for an attacker to see every password without hacking into additional systems.

When you’re notified of a password breach, you may read something about “hashing” and “salting.” Sadly, this has nothing to do with cooking potatoes. Hashing means that data, in this case your password, was scrambled into a long, fixed-length chunk of encoded text using a mathematical hashing algorithm. The result — hashes, look like this:

This adds some protection to the list, since every hashed password in a breached database would need to be decoded before finding out what the actual password is. Hashing, however, is easily reversible if an adversary already knows what password the hash was based on. If the hash for “password1234” is already known (it is) from a previous breach where you or someone else used the same password, then there’s no need for a computer to “crack” the password — it can just look it up from the list of known passwords from that breach, instantly.

This is one of many reasons why using the same password for multiple accounts is a dangerous habit. It only takes one breach (there’s been more than one) for a password to be known to potential attackers, even when they’re hashed. In some cases, such as the 2011 Sony breach, there wasn’t even a need for attackers to decode hashes because the passwords were stored in “plain text,” meaning anyone with a copy of the breached password database could see each password text directly.

Despite the ubiquitous neglect of modern data security practices, every now and then an online service will take some additional steps to make it more difficult for potential attackers to decode their users’ passwords. One way they do this is by “salting” the password, so that there’s a chunk of text attached to the password before the combined text of the salt and password is hashed, making it more difficult to decode since the hash of the password alone won’t be useful as a means of looking up its value. Unfortunately, companies are rarely transparent about the security practices they use to protect passwords in their servers, giving users no means of assessing risk if a breach were to happen.

Additionally, different types of adversaries may have different capabilities, and every journalist's scope of risk is unique to their work and their situation. Fortunately, it’s easy to make passwords that are exponentially more difficult to crack, regardless of your adversary’s computational capacity.

Uniqueness of your password is key, and one way to create a relatively unique password is to make it as random as possible. Of the millions of people who use “qwerty” as their password, hundreds may believe this was their original, random idea, but it only took “qwerty” being decoded from its hash once to make it vulnerable for everyone using that password. Similarly, even if, say, fewer than a hundred people may be using a clever lyric line or TV show quote, it still only needs to be decoded from its hash (or just viewed in plain text if they were a Sony PlayStation Network user in 2011).

In addition to uniqueness and randomness, the longer a unique password is, the stronger it is. Cracking a short password can be done easily by modern computers by automatically trying all possible combinations of letters, numbers, and special characters of that length. As the password gets longer, the number of possible combinations grows exponentially. This is why a short — even unique-looking, seven-character password like "3%4,up9" can be cracked by an average computer in minutes while a longer, unique 14-character password like "8fe;wuf487$sb0" would take centuries for the sa3%4,up9me computer to crack, and at least beyond the lifetime of anyone using the fastest computers in existence to crack it, due to math.

Coming up with 14-plus character-length, unique, randomly generated passwords for every single website and app we use, however, is an unrealistic expectation for any human's memory. Luckily though, computers are here to automate these kinds of tasks for us.

Modern computers and smartphones have built-in ways of generating randomness, or “entropy” to use for choosing each character of a password. These entropy algorithms are more reliable than the squishy neural network computers we have between our ears, which are biased by a lifetime of memories and which unconsciously personalize what we think is random. Coming up with a long random line of numbers, letters, and whatever each online service requires is easy for a computer to do. Password managers are apps which can run on your computer, tablet, or smartphone to handle this for you. A good password manager will make creating secure passwords quick and easy, since most password managers can both generate a new password and automatically remember it so you don’t have to.

This is the best way to change the password on whatever online service got breached, but while you’re at it, you can start changing all your passwords to stronger ones using a password manager. Next time this happens you’ll at least have bought some time before having to change your password in the next breach. If you’re wondering which password manager to use, check out our guide on how to choose one.