A password field of asterisks beside an open padlock.

No, deleting the account won't fix it

What a compromised password really means, and the hour it takes to sort.

Google flagged several of my passwords last week as compromised. I do security for a living. So let's get the awkward bit out of the way: yes, it can happen to anyone, and yes, it happened to me. Human mistakes are the easy ones to make.

The instinct is to delete the breached account and move on. That doesn't work, and understanding why is the whole point.

The account was never really the problem

The problem was never really the account that got breached. The problem is that I'd used that same password somewhere else. Once it's out, it's out: sitting on a list, being tried against every other service you own. Delete the one account and the password is still doing the rounds everywhere else you used it.

So the fix is boring: change that password everywhere you used it. Took me the best part of an hour. And here's the sting: the ones that bite you are the accounts you'd forgotten about. Some service you signed up to once, years ago, that seemed harmless. It gets breached, and suddenly everywhere you reused that password feels the contagion.

An hour well spent. But I'd rather not spend it again, and here's how you avoid it.

Use a password manager

The one built into your browser is fine: Chrome, Safari, Firefox, whichever you already use. Nothing is perfect, but it beats the alternative, which is trying to remember a few thousand passwords and inevitably taking shortcuts. That's not a character flaw. It's just how people work.

Let the manager generate the passwords: long strings of nonsense, a different one for every site. You never type them, so they can be as ugly as you like. You only need to remember one: the master password for the manager itself.

For that one, go long

The old advice about one number, one capital, one symbol is dated. Length wins now. A whole phrase beats a short clever word with basic misspellings ("5" for "s" or "0" for "o"):

Gimme-a-DELICIOUS-boa-constrictor-PLEASE!!!

(Don't use that one: it's in a blog post now, so it's already worthless. Which rather makes the point about anything public.)

Turn on two-factor everywhere it's offered

It's the belt to the password's braces: even if a password does leak, that second step usually stops anyone getting in.

That's it. One good phrase you remember, a manager doing the rest, two-factor where you can. Boring, and worth it.

If you'd like us to look over how your accounts and your site are set up, tell us about your site and we'll come back within a couple of working days.


Back to all posts