Should You Be Concerned When a Company Asks You to Reset Your Password?
We try our best to keep Lifehacker readers informed about recent data breaches and security vulnerabilities that could have compromised their data. Any good website or service should tell you what’s going on too. Sometimes, though, you get an email unexpectedly that your account credentials have been compromised – even if the company sending you the information is okay.
What gives?
As internet security reporter Brian Krebs notes in a recent blog post , a company that asks you to change your password does not necessarily mean that your account was specially targeted, or that your data has been hijacked by hackers due to poor security measures. It might just be a proactive measure on behalf of the company to help you keep your account secure.
Large companies actively cross-validate their hashed user data – for example, your secure password – using the same hashing mechanisms to convert plaintext passwords found in various data breaches. If these hashed passwords match the hashed data already found in the company database for the user, that person is asked to update their password.
It is also important to note that these notifications are not the same as unrecognized login attempts or password change requests that indicate someone is trying to actively access your account. While the latter scenario requires a more urgent response, both should be taken seriously: change your password and update your security measures when asked, and do so as soon as possible.
However, passwords by themselves are poor security measures. When you receive a notification from a company that your password has been compromised as a result of an unrelated data breach, consider this a great opportunity to brush up on the security of your password, as well as all the other security methods that can protect you:
- Use this guide for tips on creating strong passwords and make sure you use a completely unique password for each of your accounts. Generating all these different passwords takes extra work, of course, but it pays off. And if you’re worried about how to remember them all …
- … use an encrypted password manager or store them physically in a secure location.
- Even the most unique password is vulnerable to hacking or accidental leakage. Luckily, you can check to see if your passwords have been stolen .
- Use 2FA / Multifactor Authentication whenever this option is available (here is a list of services that provide 2FA , as per Krebs’ blog post). This can prevent people from accessing your accounts / devices even if they have your password – just make sure it’s the correct 2FA / MFA and not 2 – Step Verification, which is much less secure .
- Keep in mind that many hacks start with physical access to a device or login information. Use guest modes, letting others borrow your devices if available, and beware of stalker software and other types of spyware .
- Finally, sometimes these emails are actually fake emails with phishing links. Don’t click on suspicious links, and for more help check out our guide to modern phishing attacks .