If a company or website gets hacked, why does it matter how strong my password is? Isn’t it more important that I don’t re-use a password?



If a site gets hacked, am I at any sort of advantage by having a complicated password, or does it not really matter at that point?

In: Technology

If the website gets hacked and they can get the unencrypted passwords, it’s not really relevant how strong the password is. Strong passwords keep people out using the “manual” way of breaking into your account, aka guessing your password. This can either be a brute force type attack or certain people that for whatever reason want to break into your account specifically

The complicated password is so people don’t guess yours specifically.

If the site is hacked and password details leaked then your account is compromised regardless of how strong your password was.

You’re right about having different passwords.

So if you use a common password it’s easier for someone to hack your account for instance if your password is password instead of/8)4&/‘hsujs23 than it will be easier. They can use a rainbow table which takes less computing power and time than a brute force attack. But you are mostly right about using different passwords. Having a password manager can be useful. But password are not a great source of protection for the attack you are describing

Companies don’t store your password. They store a hash of it which is a type of encription(over simplifying I know). Hackers still don’t know your password, but they can guess passwords until they get the same hash to find it. If you use a really strong password they will probably never figure it out so you will be OK. But if it a weak password they will figure it our pretty fast. If you never reuse passwords tho, it won’t affect you very much.

Any company worth its salt will store your password in a form called a hash. This is you password scrambled up and reduced in size with math, so it’s near impossible to get your original password back. The standard practice for hackers once they get the hash is to do the same math at all sorts of different passwords to see if your hash comes out. This is the reason you have complicated passwords. More possible different passwords make this so much more difficult.

So once they plug the hole in their security, the hackers won’t be able to just log in using your password. They wouldn’t have figured it out.

It very rare for hackers to directly get your password. Any decent website doesn’t actually store your password; they store a “hashed” version of it. This is why when you hit “forgot my password”, the website has you reset your password instead of just sending you your password: the website doesn’t actually know your password.

So, if a site gets hacked, and the hackers get the hashed version of your password, they can’t actually use it to log in. However, they can try to guess your password, and they’ll know they guessed correctly if their guess has the same hash as the hashed version they got from hacking. This lets them try millions of guesses per second, so they’ll start by guessing millions of simple passwords. But if your password is complicated, they probably will never guess correctly, because there are trillions of trillions of possible complex passwords.

Considering all of this, how come I have had a nonsense password hacked before? Luck?

some shitty websites will store your password in plain text. but any good/legit website won’t. so if you use the same password in all websites, then yes it doesn’t matter how good your password is if the plain text website gets hacked. good/legit websites store the password’s hash, which is your password after running it through a bunch of math (ie encryption). since most websites use common encryption methods, then the hackers can reverse engineer what your password is by guessing the encryption method and seeing if they can match the hash. the more common a password is, the more likely they are able to match the hash.

so yes, it’s best to use a combination of a strong password and also not reusing your passwords.

TIL that hash is much more than a delicious breakfast food. Thanks for the great responses everyone!

All answers about hash are great, BUT you still should use different passwords and not re-use them.

Some companies poorly handle their security and don’t hash the passwords properly (for example if a company sends your previous password by email when you ask for forgotten password, that’s a HUGE red flag). There are also other ways to obtain your password (e.g. phishing, finding it from hash by chance)…

TL;DR : it’s still better practice to not re-use passwords.

Just for Info, If ones PC was hacked then honestly no point in how strong your password is, Hackers can retreive it. keyboard logger …etc many posibilities.

I know this is asking about if Website got hacked, just for FYI 🙂

20yr Sysadmin & IT Lead here.

You say “hacked” but it’d be a lot more common to say “guessed the password”. More often than not, the media portrays a “hack” as some edge-lord 19yo in a dark room wearing a trenchcoat, staring at a screen covered in green text as they tap furiously on the keyboard at 3am. What they don’t show is the reality, which is either as below, or that someone has a really, really stupid password that can be guessed from their public Facebook profile (name of their first child, their own name, maiden name, name of the road they live on, etc) often with just a capital at the start and the ‘o’ replaced with zero.

What often actually happens is that some “real hacker” somehow pulls the database of usernames, emails and passwords from a website. This usually happens because the site’s admins (possibly because they don’t care, possibly because they’re inept, probably because they’re underfunded) are using an outdated piece of software with a known vulnerability. The real hacker connects to that site, executes some known hole, and walks away with a database of user’s details which they can sell to someone else. This is a simplified version of things like the “big LinkedIn” breach from a few years back so we’ll use that as our example.

The problem is that users often use the same password for everything, their corporate account, their eBay, their PayPal, their LinkedIn, the crappy hobby-forum they go on to discuss “flower pressing” or something. Dave who runs the flower press website (who “isn’t an IT guy” by his own admission) likely only just managed to get it online 7 years ago and hasn’t touched it since as he’s scared of breaking it, so it’s very out of date.

Someone now buys that database, in our example, the LinkedIn one. In it is a big list of 117 million email addresses and passwords (including Police, Politicans, etc). They then create a small bit of software and point it at eBay for instance. The software tries each line in turn and uses the email and password it already knows in the database, seeing if it works there. It marks each one that works so a human can come back later and buy things that are charged to the account user.

This also happens with work. Someone recognises the 1,000 politicians in the data leak, goes to their company websites and tries their logins. Surprisingly, a large number work. The attacker logs on via your VPN or to your OneDrive and pulls off all the files they can to go through later. Some may not be interesting but some may be Intellectual Property such as information about the new COVID vaccines (I’m looking at you, Russia), legal info or commercially sensitive information that can let you make a killing on the stock market.

FWIW, you can see what accounts your email addresses have been a part of by going to the perfectly safe (feel free to corroborate this elsewhere) website [Have I Been Pwned](https://haveibeenpwned.com/). To help, I’ve had my address for 24 years now and am present in 11 breaches.

The point here is that it’s important not to use the same password everywhere and not make it basic or dumb.

Usually, a website will use a “hash” to store your password.

A “hash” is a math problem, that is easy to do, always yields the same result for the same input, and is basically impossible to undo.

The site checks your password by putting the “hash” of it and comparing it to the “hash” it stored.