author photo
By Chahak Mittal
Wed | Dec 6, 2023 | 11:38 AM PST

Passwords are like the keys to our online lives, guarding our personal information, financial accounts, and the very fabric of our digital identities. However, as data breaches become more common, leaked passwords have emerged as a major cybersecurity threat.

Imagine if the keys to your home were stolen and distributed among criminals. This is essentially what happens when passwords are leaked in data breaches. These leaked passwords become valuable assets for hackers, who can exploit them to gain unauthorized access to email accounts, online banking platforms, and other sensitive services.

The widespread use of weak or reused passwords further exacerbates the problem. According to a report by the U.S. National Institute of Standards and Technology (NIST), 61% of web users reuse passwords across multiple accounts. This practice makes it incredibly easy for hackers to compromise multiple accounts once they've obtained a single password.

Recognizing the severity of the issue, some websites have taken a proactive stance by implementing measures to prevent the use of known leaked passwords. These platforms acknowledge that user security extends beyond the strength of a chosen password and that protecting against leaked credentials is equally crucial.

Techniques used by websites include:

1. Password hashing and salting

Websites that prioritize security often employ advanced password hashing and salting techniques. Passwords are hashed, meaning they are converted into a unique string of characters that cannot be reversed to reveal the original password. Salting involves adding a random value to each user's password before hashing, adding an extra layer of protection.

2. Monitoring Dark Web databases

Some websites actively monitor Dark Web databases where leaked passwords are often traded or sold. By regularly checking these sources, platforms can identify compromised credentials and proactively prevent users from using them.

3. Real-time password checks

Progressive websites utilize real-time password checking tools that cross-reference entered passwords against databases of known compromised credentials. If a match is found, the user is prompted to choose a different, secure password. One common approach is to utilize Have I Been Pwned (HIBP), a free online service that maintains a database of known breached passwords. By comparing user passwords against the HIBP database, websites can identify and block any compromised credentials.

4. Two-factor authentication

Implementing two-factor authentication (2FA) adds an extra layer of security by requiring users to provide a second form of verification, such as a temporary code sent to their mobile device. Even if a password is compromised, 2FA acts as a robust defense mechanism.

Periodic password changes can have little or no positive impact on your organization's cybersecurity. This is because most password-based attacks have more to do with bad passwords, shared passwords, or technology-based compromises like phishing attacks or malware, and very little to do with password age. That's why it makes more sense for websites and organizations to strongly prevent the use of the leaked and vulnerable passwords.