Why check your email in haveibeenpwned rather than regularly changing your password regardless of any leaks?
There's a lot of news right now about haveibeenpwned but I don't understand why people need a service like that in first place. If you're a security conscious user, you'd change your passwords regularly on any website that matters (banking, email, paid services) and thus leaks would not affect you in the first place.
So why are people so interested in using haveibeenpwned? Why not follow the right security practices regardless of any leaks?
have-i-been-pwned
add a comment |
There's a lot of news right now about haveibeenpwned but I don't understand why people need a service like that in first place. If you're a security conscious user, you'd change your passwords regularly on any website that matters (banking, email, paid services) and thus leaks would not affect you in the first place.
So why are people so interested in using haveibeenpwned? Why not follow the right security practices regardless of any leaks?
have-i-been-pwned
I think what you're asking has to do with using, for example, a new randomly generated password on your own volition, NOT the outdated IT policy forcing users to set a new password regularly. These are very different practices. The former is still very much advised. You may want to call this out specifically.
– Matthew FitzGerald-Chamberlain
7 mins ago
add a comment |
There's a lot of news right now about haveibeenpwned but I don't understand why people need a service like that in first place. If you're a security conscious user, you'd change your passwords regularly on any website that matters (banking, email, paid services) and thus leaks would not affect you in the first place.
So why are people so interested in using haveibeenpwned? Why not follow the right security practices regardless of any leaks?
have-i-been-pwned
There's a lot of news right now about haveibeenpwned but I don't understand why people need a service like that in first place. If you're a security conscious user, you'd change your passwords regularly on any website that matters (banking, email, paid services) and thus leaks would not affect you in the first place.
So why are people so interested in using haveibeenpwned? Why not follow the right security practices regardless of any leaks?
have-i-been-pwned
have-i-been-pwned
edited 57 mins ago
Glorfindel
1,0411721
1,0411721
asked 4 hours ago
JonathanReezJonathanReez
1644
1644
I think what you're asking has to do with using, for example, a new randomly generated password on your own volition, NOT the outdated IT policy forcing users to set a new password regularly. These are very different practices. The former is still very much advised. You may want to call this out specifically.
– Matthew FitzGerald-Chamberlain
7 mins ago
add a comment |
I think what you're asking has to do with using, for example, a new randomly generated password on your own volition, NOT the outdated IT policy forcing users to set a new password regularly. These are very different practices. The former is still very much advised. You may want to call this out specifically.
– Matthew FitzGerald-Chamberlain
7 mins ago
I think what you're asking has to do with using, for example, a new randomly generated password on your own volition, NOT the outdated IT policy forcing users to set a new password regularly. These are very different practices. The former is still very much advised. You may want to call this out specifically.
– Matthew FitzGerald-Chamberlain
7 mins ago
I think what you're asking has to do with using, for example, a new randomly generated password on your own volition, NOT the outdated IT policy forcing users to set a new password regularly. These are very different practices. The former is still very much advised. You may want to call this out specifically.
– Matthew FitzGerald-Chamberlain
7 mins ago
add a comment |
3 Answers
3
active
oldest
votes
Changing passwords often is not considered a best practice anymore.
People are interested in HIBP because it centralizes information regarding breaches and makes it easily accessible. Not everyone is a security conscious user, but the information is valuable to all users because regardless of your password age practice the password should be changed immediately upon knowledge of a breach.
1
Forcing people to change their passwords is not best practice anymore. Doing it by yourself is always good practice.
– JonathanReez
2 hours ago
1
This has been discussed before: security.stackexchange.com/questions/186780/… Since it is stated well "The only other reason to change passwords on a schedule is to comply with outdated policies which are resistant to change, such as the PCI DSS requirements regarding passwords: 8.2.4 Change user passwords/passphrases at least once every 90 days. This is not a security issue but a compliance issue. When faced with a regulation which essentially has the force of law, compliance unfortunately must trump security."
– they
2 hours ago
add a comment |
Changing passwords regularly actually tends to reduce security, as people end up using repeated patterns.
The recommendations are to use strong passwords, unique to each service, and only change when a compromise is suspected.
HIBP gives that notification of compromise.
add a comment |
There's an option to monitor entire domains. This is very useful as not everyone in the company are equally aware nor cares as much. With such notification, as an administrator, you can e.g. force additional password changes for users with new leaked passwords.
Also, increasing awareness is important in itself.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f201788%2fwhy-check-your-email-in-haveibeenpwned-rather-than-regularly-changing-your-passw%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
Changing passwords often is not considered a best practice anymore.
People are interested in HIBP because it centralizes information regarding breaches and makes it easily accessible. Not everyone is a security conscious user, but the information is valuable to all users because regardless of your password age practice the password should be changed immediately upon knowledge of a breach.
1
Forcing people to change their passwords is not best practice anymore. Doing it by yourself is always good practice.
– JonathanReez
2 hours ago
1
This has been discussed before: security.stackexchange.com/questions/186780/… Since it is stated well "The only other reason to change passwords on a schedule is to comply with outdated policies which are resistant to change, such as the PCI DSS requirements regarding passwords: 8.2.4 Change user passwords/passphrases at least once every 90 days. This is not a security issue but a compliance issue. When faced with a regulation which essentially has the force of law, compliance unfortunately must trump security."
– they
2 hours ago
add a comment |
Changing passwords often is not considered a best practice anymore.
People are interested in HIBP because it centralizes information regarding breaches and makes it easily accessible. Not everyone is a security conscious user, but the information is valuable to all users because regardless of your password age practice the password should be changed immediately upon knowledge of a breach.
1
Forcing people to change their passwords is not best practice anymore. Doing it by yourself is always good practice.
– JonathanReez
2 hours ago
1
This has been discussed before: security.stackexchange.com/questions/186780/… Since it is stated well "The only other reason to change passwords on a schedule is to comply with outdated policies which are resistant to change, such as the PCI DSS requirements regarding passwords: 8.2.4 Change user passwords/passphrases at least once every 90 days. This is not a security issue but a compliance issue. When faced with a regulation which essentially has the force of law, compliance unfortunately must trump security."
– they
2 hours ago
add a comment |
Changing passwords often is not considered a best practice anymore.
People are interested in HIBP because it centralizes information regarding breaches and makes it easily accessible. Not everyone is a security conscious user, but the information is valuable to all users because regardless of your password age practice the password should be changed immediately upon knowledge of a breach.
Changing passwords often is not considered a best practice anymore.
People are interested in HIBP because it centralizes information regarding breaches and makes it easily accessible. Not everyone is a security conscious user, but the information is valuable to all users because regardless of your password age practice the password should be changed immediately upon knowledge of a breach.
answered 3 hours ago
theythey
1023
1023
1
Forcing people to change their passwords is not best practice anymore. Doing it by yourself is always good practice.
– JonathanReez
2 hours ago
1
This has been discussed before: security.stackexchange.com/questions/186780/… Since it is stated well "The only other reason to change passwords on a schedule is to comply with outdated policies which are resistant to change, such as the PCI DSS requirements regarding passwords: 8.2.4 Change user passwords/passphrases at least once every 90 days. This is not a security issue but a compliance issue. When faced with a regulation which essentially has the force of law, compliance unfortunately must trump security."
– they
2 hours ago
add a comment |
1
Forcing people to change their passwords is not best practice anymore. Doing it by yourself is always good practice.
– JonathanReez
2 hours ago
1
This has been discussed before: security.stackexchange.com/questions/186780/… Since it is stated well "The only other reason to change passwords on a schedule is to comply with outdated policies which are resistant to change, such as the PCI DSS requirements regarding passwords: 8.2.4 Change user passwords/passphrases at least once every 90 days. This is not a security issue but a compliance issue. When faced with a regulation which essentially has the force of law, compliance unfortunately must trump security."
– they
2 hours ago
1
1
Forcing people to change their passwords is not best practice anymore. Doing it by yourself is always good practice.
– JonathanReez
2 hours ago
Forcing people to change their passwords is not best practice anymore. Doing it by yourself is always good practice.
– JonathanReez
2 hours ago
1
1
This has been discussed before: security.stackexchange.com/questions/186780/… Since it is stated well "The only other reason to change passwords on a schedule is to comply with outdated policies which are resistant to change, such as the PCI DSS requirements regarding passwords: 8.2.4 Change user passwords/passphrases at least once every 90 days. This is not a security issue but a compliance issue. When faced with a regulation which essentially has the force of law, compliance unfortunately must trump security."
– they
2 hours ago
This has been discussed before: security.stackexchange.com/questions/186780/… Since it is stated well "The only other reason to change passwords on a schedule is to comply with outdated policies which are resistant to change, such as the PCI DSS requirements regarding passwords: 8.2.4 Change user passwords/passphrases at least once every 90 days. This is not a security issue but a compliance issue. When faced with a regulation which essentially has the force of law, compliance unfortunately must trump security."
– they
2 hours ago
add a comment |
Changing passwords regularly actually tends to reduce security, as people end up using repeated patterns.
The recommendations are to use strong passwords, unique to each service, and only change when a compromise is suspected.
HIBP gives that notification of compromise.
add a comment |
Changing passwords regularly actually tends to reduce security, as people end up using repeated patterns.
The recommendations are to use strong passwords, unique to each service, and only change when a compromise is suspected.
HIBP gives that notification of compromise.
add a comment |
Changing passwords regularly actually tends to reduce security, as people end up using repeated patterns.
The recommendations are to use strong passwords, unique to each service, and only change when a compromise is suspected.
HIBP gives that notification of compromise.
Changing passwords regularly actually tends to reduce security, as people end up using repeated patterns.
The recommendations are to use strong passwords, unique to each service, and only change when a compromise is suspected.
HIBP gives that notification of compromise.
answered 1 hour ago
Rory Alsop♦Rory Alsop
56.8k11103296
56.8k11103296
add a comment |
add a comment |
There's an option to monitor entire domains. This is very useful as not everyone in the company are equally aware nor cares as much. With such notification, as an administrator, you can e.g. force additional password changes for users with new leaked passwords.
Also, increasing awareness is important in itself.
add a comment |
There's an option to monitor entire domains. This is very useful as not everyone in the company are equally aware nor cares as much. With such notification, as an administrator, you can e.g. force additional password changes for users with new leaked passwords.
Also, increasing awareness is important in itself.
add a comment |
There's an option to monitor entire domains. This is very useful as not everyone in the company are equally aware nor cares as much. With such notification, as an administrator, you can e.g. force additional password changes for users with new leaked passwords.
Also, increasing awareness is important in itself.
There's an option to monitor entire domains. This is very useful as not everyone in the company are equally aware nor cares as much. With such notification, as an administrator, you can e.g. force additional password changes for users with new leaked passwords.
Also, increasing awareness is important in itself.
answered 3 hours ago
Esa JokinenEsa Jokinen
84138
84138
add a comment |
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f201788%2fwhy-check-your-email-in-haveibeenpwned-rather-than-regularly-changing-your-passw%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
I think what you're asking has to do with using, for example, a new randomly generated password on your own volition, NOT the outdated IT policy forcing users to set a new password regularly. These are very different practices. The former is still very much advised. You may want to call this out specifically.
– Matthew FitzGerald-Chamberlain
7 mins ago