Password compromise: why it happens and how to make sure it doesn’t

Each year, NordVPN publishes a list of the 200 most used passwords based on a massive 3TB dataset from thirty countries. In 2022, “password” came out on top, painting a sobering picture of the state of password hygiene across the globe. Especially in light of the fact that 169 of the 200 contenders are estimated to take 1 second or less to figure out.

So what does “compromised password” mean and how do passwords get compromised? How can you check if a password has been compromised and what immediate steps to take if it has to minimize the damage? We’re here to give you the answers, plus examples of hard-to-crack passwords as well as best practices for creating, storing, and sharing secure passwords.

What is a compromised password – and how common is it?

We consider a password compromised if it has appeared in a documented data breach and, as a result, has been published online or sold on the dark web. This is much more common than you might think.

According to research by password manager platform developer Dashlane, nearly 20% of passwords are hacked. The average password health score globally falls within the “needs improvement” range, which means that passwords might be weak, compromised, or reused.

What’s even more worrying is that globally more than half of passwords (51%) are reused, as shown by the same study. An average person in the US has 70-80 online accounts, so one compromised password could open the door for hackers to dozens of their accounts.

How do passwords get compromised? The top 5 methods explained

1. Credential stuffing

During a credential stuffing attack, the hacker crams stolen account credentials into login pages of different websites and apps until an account unlocks. The reason why this often works is, you guessed it, the frequency of recycled passwords. In fact, according to Verizon’s Data Breach Investigations Report, 61% of breaches involved credential data in 2021, with 95% of organizations who suffered credential stuffing attacks facing anywhere between 637 and 3.3 billion malicious login attempts.

2. Password spraying

Password spraying refers to a type of brute force attack where malicious actors test a single common password against several accounts on the same application, then move on to the next one. This tactic is another hacker-favorite because it eliminates the problem of account lockouts that regular brute-force attacks often run into as they try different passwords on a single account. Of course, the more predictable passwords users choose, the more vulnerable they become to password spraying campaigns.

3. Phishing

As we explained in a previous deep dive on phishing scams, phishing attacks typically start with an email that appears to be a run-off-the-mill blast from a legitimate business asking you to update or verify your personal information in a reply or on their website. At first glance, FBI experts explain, the web address might look familiar and the message genuine enough to convince you to oblige. But once you’ve clicked the link, you’ll land on a spoofed website whose sole purpose is to steal sensitive information – passwords included.

4. Keylogging

A keylogger, also called a keystroke logger or keyboard capture, is a type of surveillance technology for monitoring and recording each keystroke on a computer or smartphone. In essence, TechTarget points out, it’s the computing equivalent of a wiretap, which records keyboard activity instead of conversations. Once installed through malware, as they often are, software keyloggers will send the recorded keystrokes back to hackers, who can then use them to figure out which keystrokes spell out your passwords.

5. Shoulder surfing

The lowest-tech of all password hacking methods, shoulder surfing refers to someone physically viewing your device screen or keypad with the intent of obtaining personal information, such as a PIN code, credit card number or login credentials. This can be done in quite the literal sense, that is, peeking over the target’s shoulders, or using hardware like binoculars or a miniature video camera. In an NYU study, 73% of mobile users surveyed said they had observed someone else’s PIN, even though not necessarily with malicious intent.

Is my password compromised? How to find leaked passwords

That’s a reasonable question, considering that in 2021 alone more than 2 billion data records with usernames and passwords were compromised, according to a report by identity management solutions developer ForgeRock. Here’s a list of tools to check if yours has ended up in a data dump following a security breach.

1. Have I Been Pwned

Created by Australian security expert Troy Hunt in 2013, Have I Been Pwned (HIBP for short) is internet users’ go-to source to find out if their personal information has been leaked. Enter your email address or phone number to see if it’s been impacted by any known security incidents and to what extent, or you can sign up to be notified via email if your personal information appears in future dumps.

2. Google’s Password Checkup tool

Chrome users can quickly find out if their passwords saved in their Google Account have been exposed, are weak, or are used in multiple accounts by carrying out a password checkup. Also built into Android phones that run Android 9 or higher, Google’s password health checker compares stored credentials against an online database of known data breaches as well as tests new entries for matches.

3. Apple’s Security Recommendations

This iOS feature will alert you if any of your passwords are compromised, need strengthening or have been involved in a data leak. To enable the Security Recommendations, open Settings on your iPhone or iPad, tap Passwords, unlock, then tap Security Recommendations, and turn on Detect Compromised Passwords.

Once you’re done, you’ll see a list of high-priority and other recommendations. The former includes passwords that have appeared in a data leak and allows you to change them on the service’s website or delete them from your device. The latter lists passwords that should be changed because they’re reused or easy to guess.

What is a secure password? Definition, plus how to secure passwords

According to Cybernews’ definition, a secure or strong password is one that’s hard to both guess and crack using a brute force attack. Hackers test different combinations of letters, numbers, and symbols in search of the right password. Short and simple ones with nothing but letters and numbers in them will only hold the fort for seconds.

How to make a secure password? 5 key characteristics

To generate a secure password, make sure that:

• it’s at least 12 characters long – the longer the better, really;
• has lowercase and uppercase letters, numbers and special characters;
• doesn’t contain any personal information, such as name;
• isn’t used to log in to any of your other accounts; and doesn’t include memorable keyboard paths, such as “qwerty.”

Secure password examples: password ideas and strong password examples

1. T3jMX-VLNho^!=cS

Why does it work? It contains more than 12 characters, including lowercase and uppercase letters, numbers and special characters, without any logical or recognisable pattern.

2. c|o|\|+5pen|>+oOmUcH

Why does it work? It’s a passphrase (“don’t spend too much”) tailored to the site it’s used for (e.g. eBay or Amazon) using mixed capitalization, special characters and numbers.

3. IHAv3@FeElinGvveR3n()T!nKAn$A5AnYm()re

Why does it work? It blends an easy-to-recall movie quote (“I have a feeling we're not in Kansas anymore.”) with random numbers, symbols, capitalization, and punctuation.

Secure password management: how to safely share and store a password

Sharing passwords might sound like a recipe for a cybersecurity disaster, but it doesn’t have to be. It’s also very common; members of a company’s social media team, for example, often take turns logging in to and posting on various corporate accounts.

How to share passwords securely? Use a secure password manager or a cloud service that provides end-to-end encryption.

Password managers are software applications that you can install on your devices and as a browser extension to securely store and manage all your online credentials in one place. They also come with a strong password generator and allow users to share username and password combinations with colleagues or entire teams. Not to mention provide admins with insight into who accessed which passwords in the secure password vault and how strong the stored passwords are.

Often touted as the gold standard for securing communication, end-to-end encryption provides the highest level of data protection because it ensures that information gets encrypted before it leaves the sender’s device and remains encrypted until it reaches the intended recipient, leaving no room for unauthorized access. Cloud solutions that offer zero-knowledge encryption make it impossible even for the service provider to know anything about your encryption key or the data you’re sharing.

3 steps to take after your password has been compromised

It’s crucial that you immediately take action to secure your compromised passwords. Here are three things you should do if your password is found in a data breach.

1. Change the compromised password ASAP

Make sure that the new password is both strong and unique to the account you’re creating it for. If you’re using any variation of the stolen password on other sites, it’s a good idea to replace those as well.

2. Watch out for all suspicious activity

Keep an eye on the account that suffered the breach – but don’t stop there. Periodically check your debit and credit card statements for things like unfamiliar charges and get in touch with your bank if you see anything suspicious.

3. Enable multifactor authentication (MFA)

MFA-enabled online services ask for a combination of two or more authenticators for identity verification, significantly reducing the risk of compromised passwords, data identity thefts, and account takeovers.