Eli5 Why is it necessary to change email passwords if that email was breached from a completely different website?

284 views

I never understood this. If my email (gmail as an example) got leaked among other thousands or millions of emails from a data breach from a website that I’ve signed up in, why then would I need to go to Google website and change my password if I would be using different passwords for these separate websites?

Or perhaps I answered my own question? Is it on the off chance that I or someone else *would* be using the same password across multiple websites? Should any actions then be brushed off if I *do* use different passwords?

In: 11

4 Answers

Anonymous 0 Comments

You are exactly right. Many people use the same, or similar passwords across every account. So you are told to change them all, aswell having unique passwords for each account

Anonymous 0 Comments

If you do use different passwords, as in completely different passwords, you’re pretty safe on other websites. Or at least, as safe as before the leak. A lot of people don’t though. They either re-use passwords, or have a certain “style” or variation of the same password that they use, which makes it very easy (in the former case) and potentially not very challenging (in the latter case) to break into other accounts if you know this person’s actual password.

Here’s the thing, depending on what tools the person has to crack passwords, you can generate *millions* of variants per second/minute/whatever, and if they have a way to test if they’re correct, that’s a huge problem. For short passwords, this can mean they can generally find it quickly knowing nothing about said password. A smarter approach, however, is to have structured guesses for these millions-at-a-time. Words and word variants, common things people do, and so on. Somewhere out there are lists of actual passwords people used from past breaches, and from that you get structured guessing that is *very good* at picking up even longer passwords, or passwords people think are cleverly hard. Turns out common word modifications, symbols, character replacements, text-number-patterns, and so on are pretty identifiable when you get enough data of what people do.

Easiest route is always to just, test the common ones though, or ones linked to that account found leaked on another site. Maybe with variants, but, yeah.

Bigger concern though might be if an email account is breached, sometimes that is the fallback for other websites. So, accounts using that email for reset, could just be breached without knowing the password via password reset through that same email/etc.

Anonymous 0 Comments

Email is a serious password to have stolen. Criminals could use your email to reset your passwords at other sites using poor “forgot my password” tools.

It’s true that you don’t have to change passwords if you use unique passwords on every other site, but you should check every one to make sure they haven’t change any and locked you out of any of your other accounts. Run through everything to make sure your passwords still work and they haven’t done anything nefarious elsewhere.

Anonymous 0 Comments

judging from experience i’d say 99.9% or more reuses passwords in some forms, and actually.. I think that number might be a conservative guess.