Eli5 Why is it necessary to change email passwords if that email was breached from a completely different website?

253 views

I never understood this. If my email (gmail as an example) got leaked among other thousands or millions of emails from a data breach from a website that I’ve signed up in, why then would I need to go to Google website and change my password if I would be using different passwords for these separate websites?

Or perhaps I answered my own question? Is it on the off chance that I or someone else *would* be using the same password across multiple websites? Should any actions then be brushed off if I *do* use different passwords?

In: 11

4 Answers

Anonymous 0 Comments

If you do use different passwords, as in completely different passwords, you’re pretty safe on other websites. Or at least, as safe as before the leak. A lot of people don’t though. They either re-use passwords, or have a certain “style” or variation of the same password that they use, which makes it very easy (in the former case) and potentially not very challenging (in the latter case) to break into other accounts if you know this person’s actual password.

Here’s the thing, depending on what tools the person has to crack passwords, you can generate *millions* of variants per second/minute/whatever, and if they have a way to test if they’re correct, that’s a huge problem. For short passwords, this can mean they can generally find it quickly knowing nothing about said password. A smarter approach, however, is to have structured guesses for these millions-at-a-time. Words and word variants, common things people do, and so on. Somewhere out there are lists of actual passwords people used from past breaches, and from that you get structured guessing that is *very good* at picking up even longer passwords, or passwords people think are cleverly hard. Turns out common word modifications, symbols, character replacements, text-number-patterns, and so on are pretty identifiable when you get enough data of what people do.

Easiest route is always to just, test the common ones though, or ones linked to that account found leaked on another site. Maybe with variants, but, yeah.

Bigger concern though might be if an email account is breached, sometimes that is the fallback for other websites. So, accounts using that email for reset, could just be breached without knowing the password via password reset through that same email/etc.

You are viewing 1 out of 4 answers, click here to view all answers.