Why check your email in haveibeenpwned rather than regularly changing your password regardless of any leaks?

Your question contains several false assumption:

  • If you're a security conscious user, you'd change your passwords regularly on any website that matters

According to my password manager I have more than hundreds of accounts and most of them would do harm to me if compromised. Changing all of them regularly (like every 90 days) is a huge amount of work. So I use strong passwords generated by the password manager instead. But some services still save passwords in clear text.

  • and thus leaks would not affect you in the first place.

Let's say I would change every password every 90 days. There is still the possibility that there are 89 days where my account is compromised and the attacker has time to do anything including changing my password. When you know your account is in the list, you can act instantly.

See previous point.

  • So why are people so interested in using haveibeenpwned?

To know which accounts are affected and to figure out which service got hacked/where the accounts came from.

With this knowledge:

  • I can change the password instantly.
  • I know which service is less trustworthy for sensitive data, money, ... and I might close my activity at this service.
  • If this service has a messaging system I know to be more alert of messages from "friends" because the account might be stolen.
  • I know which of my data might be compromised (data at the hacked service).

Changing passwords often is not considered a best practice anymore.

People are interested in HIBP because it centralizes information regarding breaches and makes it easily accessible. Not everyone is a security conscious user, but the information is valuable to all users because regardless of your password age practice the password should be changed immediately upon knowledge of a breach.


Changing passwords regularly actually tends to reduce security, as people end up using repeated patterns.

The recommendations are to use strong passwords, unique to each service, and only change when a compromise is suspected.

HIBP gives that notification of compromise.

Tags:

Passwords

Password Policy

Have I Been Pwned

Related

Should ports be visible to nmap? Why is breach-detection site "Have I Been Pwned" considered safe? Proprietary RF Protocol Security Is the data between a keyboard and a web browser secure from local computer applications? As an end user, what risk is there in browsing a public website that uses TLSv1? How to connect a Raspberry Pi IDS to the home router to detect intrusions network wide? Is it worth storing email addresses as hashes? Let's Encrypt is based in the US and subject to US laws How does full disk encryption cater for overprovisoned disk space in flash devices and can this result in data leakage? Does the destruction of sensitive information limit the choice of hard drives to non-flash based devices? Why is Gbt3fC79ZmMEFUFJ a weak password? How do I monitor what a penetration tester is doing?

Recent Posts