David Huerta

Senior Digital Security Trainer

Last updated
A cheugy word frequency artwork popular in the late 2000s, featuring "password," "12345678" and "qwerty" prominently.

Data breaches, and in particular those including personal passwords for websites or apps, are evergreen news stories that repeat themselves like an Advent calendar for cybersecurity failures. Although these breaches are a regular phenomena, they are trailed by a long, drawn-out window of time where other attackers use breached data to log in to affected accounts.

To minimize risk in that window of time, you should change your password with the breached service as soon as you reasonably can. While you’re at it, it may be good to check for other breaches that affect your accounts. Using security researcher Troy Hunt's haveibeenpwned.com, you can enter the email addresses you’ve used to register online accounts, and see other sites and services where you should consider changing your password.

Screenshot of haveibeenpwned.com with zuck@fb.com in the search field

Many websites and apps need to be able to know what your password is in order to verify that you’re the one logging in and not someone pretending to be you. As a result, they have to store your username and password. Typically, your password will live in a database containing the passwords of every user for that service. This makes it a valuable target for an attacker and, because of that, industry standards and guidelines aim to make it difficult for an attacker to see every password without hacking into additional systems.

When you’re notified of a password breach, you may read something about “hashing” and “salting.” Sadly, this has nothing to do with cooking potatoes. Hashing means that data, in this case your password, was scrambled into a long, fixed-length chunk of encoded text using a mathematical hashing algorithm. The result — hashes, look like this:

Password text Password hash (SHA-128 algorithm)
qwerty 7C4A8D09CA3762AF61E59520943DC26494F8941B
12345 F7C3BC1D808E04732ADF679965CCC34CA7AE3441
1234567 B1B3773A05C0ED0176787A4F1574FF0075F7521E
111111 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8
123456789 3D4F2BF07DC1BE38B20CD6E46949A1071F9D0E3D
12345678 7C222FB2927D828AF22F592134E8932480637C0D
password1 6367C48DD193D56EA7B0BAAD25B19455E529F5EE
password 20EABE5D64B0E216796E834F52D61FD0B70332FC
123456 E38AD214943DAAD1D64C102FAEC29DE4AFE9DA3D
abc123 8CB2237D0679CA88DB6464EAC60DA96345513964

This adds some protection to the list, since every hashed password in a breached database would need to be decoded before finding out what the actual password is. Hashing, however, is easily reversible if an adversary already knows what password the hash was based on. If the hash for “password1234” is already known (it is) from a previous breach where you or someone else used the same password, then there’s no need for a computer to “crack” the password — it can just look it up from the list of known passwords from that breach, instantly.

A screenshot of hashcat running in Gnome terminal showing that it took 0 seconds to crack a hashed password.

Using standard password cracking software, it took 0 seconds to correctly guess the password “letitia” from its hash.

This is one of many reasons why using the same password for multiple accounts is a dangerous habit. It only takes one breach (there’s been more than one) for a password to be known to potential attackers, even when they’re hashed. In some cases, such as the 2011 Sony breach, there wasn’t even a need for attackers to decode hashes because the passwords were stored in “plain text,” meaning anyone with a copy of the breached password database could see each password text directly.

Despite the ubiquitous neglect of modern data security practices, every now and then an online service will take some additional steps to make it more difficult for potential attackers to decode their users’ passwords. One way they do this is by “salting” the password, so that there’s a chunk of text attached to the password before the combined text of the salt and password is hashed, making it more difficult to decode since the hash of the password alone won’t be useful as a means of looking up its value. Unfortunately, companies are rarely transparent about the security practices they use to protect passwords in their servers, giving users no means of assessing risk if a breach were to happen.

Additionally, different types of adversaries may have different capabilities, and every journalist's scope of risk is unique to their work and their situation. Fortunately, it’s easy to make passwords that are exponentially more difficult to crack, regardless of your adversary’s computational capacity.

Uniqueness of your password is key, and one way to create a relatively unique password is to make it as random as possible. Of the millions of people who use “qwerty” as their password, hundreds may believe this was their original, random idea, but it only took “qwerty” being decoded from its hash once to make it vulnerable for everyone using that password. Similarly, even if, say, fewer than a hundred people may be using a clever lyric line or TV show quote, it still only needs to be decoded from its hash (or just viewed in plain text if they were a Sony PlayStation Network user in 2011).

In addition to uniqueness and randomness, the longer a unique password is, the stronger it is. Cracking a short password can be done easily by modern computers by automatically trying all possible combinations of letters, numbers, and special characters of that length. As the password gets longer, the number of possible combinations grows exponentially. This is why a short — even unique-looking, seven-character password like "3%4,up9" can be cracked by an average computer in minutes while a longer, unique 14-character password like "8fe;wuf487$sb0" would take centuries for the sa3%4,up9me computer to crack, and at least beyond the lifetime of anyone using the fastest computers in existence to crack it, due to math.

Screenshot of Bitwarden showing the password "3%4,up9" and indicating it would be cracked in 17 minutes.
Screenshot of Bitwarden showing the password "8fe;wuf487$sb0" and indicating it would be cracked in centuries.

Coming up with 14-plus character-length, unique, randomly generated passwords for every single website and app we use, however, is an unrealistic expectation for any human's memory. Luckily though, computers are here to automate these kinds of tasks for us.

Modern computers and smartphones have built-in ways of generating randomness, or “entropy” to use for choosing each character of a password. These entropy algorithms are more reliable than the squishy neural network computers we have between our ears, which are biased by a lifetime of memories and which unconsciously personalize what we think is random. Coming up with a long random line of numbers, letters, and whatever each online service requires is easy for a computer to do. Password managers are apps which can run on your computer, tablet, or smartphone to handle this for you. A good password manager will make creating secure passwords quick and easy, since most password managers can both generate a new password and automatically remember it so you don’t have to.

This is the best way to change the password on whatever online service got breached, but while you’re at it, you can start changing all your passwords to stronger ones using a password manager. Next time this happens you’ll at least have bought some time before having to change your password in the next breach. If you’re wondering which password manager to use, check out our guide on how to choose one.

Donate to support press freedom

Your support is more important than ever.