Why check your email in haveibeenpwned rather than regularly changing your password regardless of any leaks?












2















There's a lot of news right now about haveibeenpwned but I don't understand why people need a service like that in first place. If you're a security conscious user, you'd change your passwords regularly on any website that matters (banking, email, paid services) and thus leaks would not affect you in the first place.



So why are people so interested in using haveibeenpwned? Why not follow the right security practices regardless of any leaks?










share|improve this question

























  • I think what you're asking has to do with using, for example, a new randomly generated password on your own volition, NOT the outdated IT policy forcing users to set a new password regularly. These are very different practices. The former is still very much advised. You may want to call this out specifically.

    – Matthew FitzGerald-Chamberlain
    7 mins ago
















2















There's a lot of news right now about haveibeenpwned but I don't understand why people need a service like that in first place. If you're a security conscious user, you'd change your passwords regularly on any website that matters (banking, email, paid services) and thus leaks would not affect you in the first place.



So why are people so interested in using haveibeenpwned? Why not follow the right security practices regardless of any leaks?










share|improve this question

























  • I think what you're asking has to do with using, for example, a new randomly generated password on your own volition, NOT the outdated IT policy forcing users to set a new password regularly. These are very different practices. The former is still very much advised. You may want to call this out specifically.

    – Matthew FitzGerald-Chamberlain
    7 mins ago














2












2








2


1






There's a lot of news right now about haveibeenpwned but I don't understand why people need a service like that in first place. If you're a security conscious user, you'd change your passwords regularly on any website that matters (banking, email, paid services) and thus leaks would not affect you in the first place.



So why are people so interested in using haveibeenpwned? Why not follow the right security practices regardless of any leaks?










share|improve this question
















There's a lot of news right now about haveibeenpwned but I don't understand why people need a service like that in first place. If you're a security conscious user, you'd change your passwords regularly on any website that matters (banking, email, paid services) and thus leaks would not affect you in the first place.



So why are people so interested in using haveibeenpwned? Why not follow the right security practices regardless of any leaks?







have-i-been-pwned






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 57 mins ago









Glorfindel

1,0411721




1,0411721










asked 4 hours ago









JonathanReezJonathanReez

1644




1644













  • I think what you're asking has to do with using, for example, a new randomly generated password on your own volition, NOT the outdated IT policy forcing users to set a new password regularly. These are very different practices. The former is still very much advised. You may want to call this out specifically.

    – Matthew FitzGerald-Chamberlain
    7 mins ago



















  • I think what you're asking has to do with using, for example, a new randomly generated password on your own volition, NOT the outdated IT policy forcing users to set a new password regularly. These are very different practices. The former is still very much advised. You may want to call this out specifically.

    – Matthew FitzGerald-Chamberlain
    7 mins ago

















I think what you're asking has to do with using, for example, a new randomly generated password on your own volition, NOT the outdated IT policy forcing users to set a new password regularly. These are very different practices. The former is still very much advised. You may want to call this out specifically.

– Matthew FitzGerald-Chamberlain
7 mins ago





I think what you're asking has to do with using, for example, a new randomly generated password on your own volition, NOT the outdated IT policy forcing users to set a new password regularly. These are very different practices. The former is still very much advised. You may want to call this out specifically.

– Matthew FitzGerald-Chamberlain
7 mins ago










3 Answers
3






active

oldest

votes


















2














Changing passwords often is not considered a best practice anymore.



People are interested in HIBP because it centralizes information regarding breaches and makes it easily accessible. Not everyone is a security conscious user, but the information is valuable to all users because regardless of your password age practice the password should be changed immediately upon knowledge of a breach.






share|improve this answer



















  • 1





    Forcing people to change their passwords is not best practice anymore. Doing it by yourself is always good practice.

    – JonathanReez
    2 hours ago






  • 1





    This has been discussed before: security.stackexchange.com/questions/186780/… Since it is stated well "The only other reason to change passwords on a schedule is to comply with outdated policies which are resistant to change, such as the PCI DSS requirements regarding passwords: 8.2.4 Change user passwords/passphrases at least once every 90 days. This is not a security issue but a compliance issue. When faced with a regulation which essentially has the force of law, compliance unfortunately must trump security."

    – they
    2 hours ago





















1














Changing passwords regularly actually tends to reduce security, as people end up using repeated patterns.



The recommendations are to use strong passwords, unique to each service, and only change when a compromise is suspected.



HIBP gives that notification of compromise.






share|improve this answer































    0














    There's an option to monitor entire domains. This is very useful as not everyone in the company are equally aware nor cares as much. With such notification, as an administrator, you can e.g. force additional password changes for users with new leaked passwords.



    Also, increasing awareness is important in itself.






    share|improve this answer























      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "162"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      noCode: true, onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f201788%2fwhy-check-your-email-in-haveibeenpwned-rather-than-regularly-changing-your-passw%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      3 Answers
      3






      active

      oldest

      votes








      3 Answers
      3






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      2














      Changing passwords often is not considered a best practice anymore.



      People are interested in HIBP because it centralizes information regarding breaches and makes it easily accessible. Not everyone is a security conscious user, but the information is valuable to all users because regardless of your password age practice the password should be changed immediately upon knowledge of a breach.






      share|improve this answer



















      • 1





        Forcing people to change their passwords is not best practice anymore. Doing it by yourself is always good practice.

        – JonathanReez
        2 hours ago






      • 1





        This has been discussed before: security.stackexchange.com/questions/186780/… Since it is stated well "The only other reason to change passwords on a schedule is to comply with outdated policies which are resistant to change, such as the PCI DSS requirements regarding passwords: 8.2.4 Change user passwords/passphrases at least once every 90 days. This is not a security issue but a compliance issue. When faced with a regulation which essentially has the force of law, compliance unfortunately must trump security."

        – they
        2 hours ago


















      2














      Changing passwords often is not considered a best practice anymore.



      People are interested in HIBP because it centralizes information regarding breaches and makes it easily accessible. Not everyone is a security conscious user, but the information is valuable to all users because regardless of your password age practice the password should be changed immediately upon knowledge of a breach.






      share|improve this answer



















      • 1





        Forcing people to change their passwords is not best practice anymore. Doing it by yourself is always good practice.

        – JonathanReez
        2 hours ago






      • 1





        This has been discussed before: security.stackexchange.com/questions/186780/… Since it is stated well "The only other reason to change passwords on a schedule is to comply with outdated policies which are resistant to change, such as the PCI DSS requirements regarding passwords: 8.2.4 Change user passwords/passphrases at least once every 90 days. This is not a security issue but a compliance issue. When faced with a regulation which essentially has the force of law, compliance unfortunately must trump security."

        – they
        2 hours ago
















      2












      2








      2







      Changing passwords often is not considered a best practice anymore.



      People are interested in HIBP because it centralizes information regarding breaches and makes it easily accessible. Not everyone is a security conscious user, but the information is valuable to all users because regardless of your password age practice the password should be changed immediately upon knowledge of a breach.






      share|improve this answer













      Changing passwords often is not considered a best practice anymore.



      People are interested in HIBP because it centralizes information regarding breaches and makes it easily accessible. Not everyone is a security conscious user, but the information is valuable to all users because regardless of your password age practice the password should be changed immediately upon knowledge of a breach.







      share|improve this answer












      share|improve this answer



      share|improve this answer










      answered 3 hours ago









      theythey

      1023




      1023








      • 1





        Forcing people to change their passwords is not best practice anymore. Doing it by yourself is always good practice.

        – JonathanReez
        2 hours ago






      • 1





        This has been discussed before: security.stackexchange.com/questions/186780/… Since it is stated well "The only other reason to change passwords on a schedule is to comply with outdated policies which are resistant to change, such as the PCI DSS requirements regarding passwords: 8.2.4 Change user passwords/passphrases at least once every 90 days. This is not a security issue but a compliance issue. When faced with a regulation which essentially has the force of law, compliance unfortunately must trump security."

        – they
        2 hours ago
















      • 1





        Forcing people to change their passwords is not best practice anymore. Doing it by yourself is always good practice.

        – JonathanReez
        2 hours ago






      • 1





        This has been discussed before: security.stackexchange.com/questions/186780/… Since it is stated well "The only other reason to change passwords on a schedule is to comply with outdated policies which are resistant to change, such as the PCI DSS requirements regarding passwords: 8.2.4 Change user passwords/passphrases at least once every 90 days. This is not a security issue but a compliance issue. When faced with a regulation which essentially has the force of law, compliance unfortunately must trump security."

        – they
        2 hours ago










      1




      1





      Forcing people to change their passwords is not best practice anymore. Doing it by yourself is always good practice.

      – JonathanReez
      2 hours ago





      Forcing people to change their passwords is not best practice anymore. Doing it by yourself is always good practice.

      – JonathanReez
      2 hours ago




      1




      1





      This has been discussed before: security.stackexchange.com/questions/186780/… Since it is stated well "The only other reason to change passwords on a schedule is to comply with outdated policies which are resistant to change, such as the PCI DSS requirements regarding passwords: 8.2.4 Change user passwords/passphrases at least once every 90 days. This is not a security issue but a compliance issue. When faced with a regulation which essentially has the force of law, compliance unfortunately must trump security."

      – they
      2 hours ago







      This has been discussed before: security.stackexchange.com/questions/186780/… Since it is stated well "The only other reason to change passwords on a schedule is to comply with outdated policies which are resistant to change, such as the PCI DSS requirements regarding passwords: 8.2.4 Change user passwords/passphrases at least once every 90 days. This is not a security issue but a compliance issue. When faced with a regulation which essentially has the force of law, compliance unfortunately must trump security."

      – they
      2 hours ago















      1














      Changing passwords regularly actually tends to reduce security, as people end up using repeated patterns.



      The recommendations are to use strong passwords, unique to each service, and only change when a compromise is suspected.



      HIBP gives that notification of compromise.






      share|improve this answer




























        1














        Changing passwords regularly actually tends to reduce security, as people end up using repeated patterns.



        The recommendations are to use strong passwords, unique to each service, and only change when a compromise is suspected.



        HIBP gives that notification of compromise.






        share|improve this answer


























          1












          1








          1







          Changing passwords regularly actually tends to reduce security, as people end up using repeated patterns.



          The recommendations are to use strong passwords, unique to each service, and only change when a compromise is suspected.



          HIBP gives that notification of compromise.






          share|improve this answer













          Changing passwords regularly actually tends to reduce security, as people end up using repeated patterns.



          The recommendations are to use strong passwords, unique to each service, and only change when a compromise is suspected.



          HIBP gives that notification of compromise.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered 1 hour ago









          Rory AlsopRory Alsop

          56.8k11103296




          56.8k11103296























              0














              There's an option to monitor entire domains. This is very useful as not everyone in the company are equally aware nor cares as much. With such notification, as an administrator, you can e.g. force additional password changes for users with new leaked passwords.



              Also, increasing awareness is important in itself.






              share|improve this answer




























                0














                There's an option to monitor entire domains. This is very useful as not everyone in the company are equally aware nor cares as much. With such notification, as an administrator, you can e.g. force additional password changes for users with new leaked passwords.



                Also, increasing awareness is important in itself.






                share|improve this answer


























                  0












                  0








                  0







                  There's an option to monitor entire domains. This is very useful as not everyone in the company are equally aware nor cares as much. With such notification, as an administrator, you can e.g. force additional password changes for users with new leaked passwords.



                  Also, increasing awareness is important in itself.






                  share|improve this answer













                  There's an option to monitor entire domains. This is very useful as not everyone in the company are equally aware nor cares as much. With such notification, as an administrator, you can e.g. force additional password changes for users with new leaked passwords.



                  Also, increasing awareness is important in itself.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered 3 hours ago









                  Esa JokinenEsa Jokinen

                  84138




                  84138






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Information Security Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f201788%2fwhy-check-your-email-in-haveibeenpwned-rather-than-regularly-changing-your-passw%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      Ponta tanko

                      Tantalo (mitologio)

                      Erzsébet Schaár