Summary
If you receive a notice from your device or password software indicating that your password has been found on the dark web, it may not mean that one of your own accounts specifically was hacked, but instead that generally speaking, you are using a password that is not sufficiently unique. It has been used by others, so it might be easily guessed. Read this document to learn more.
Data Breach Notifications
Password management software can alert you if websites you use are known to have had data breaches possibly impacting your login credentials.
If a data breach has occurred since you last changed your password for a specific website, you might get notified. This is a helpful feature that can make your accounts more secure.
Compromised Password Notifications
If you use an iPhone or iPad, you have an option to be notified if a specific password you use has been found in the dark web as part of a data leak. The dark web mostly consists of secure online clearing houses and markets for illegal services and products like drugs, stolen credit cards, or account logins. These lists of compromised passwords may also be provided to security services by the companies that have identified a leak.
You can find the login password alerts under Settings > Passwords> Security Recommendations. If the Detect Compromised Passwords feature is turned on, you’ll get realtime alerts on this page in settings for compromised passwords.
To get items removed from the list, use the built-in Safari browser on your iPhone or iPad to visit the site, login, change your password, logout, and then login again with the new password. At that point you’ll be given an opportunity to save your new password in Safari. Then the report in your phone will be updated and that entry will be removed from the report. If your Safari passwords are synced through the Apple iCloud service then you could change the password using Safari on your synched Apple computer.
How Does Password Reporting Work?
These Apple iOS devices have the ability to anonymously compare your passwords to those in these public databases. When a password you use shows up in the public directory, you are notified. When you first see these notifications on your iPhone about your passwords being part of data leaks, you may be alarmed and wonder how your passwords were made public.
This doesn’t necessarily mean that one of your own accounts was hacked, or that someone directly obtained your password through nefarious activities. It’s more likely that a common password, even a complex one, has been used by one or more other people in the world, and has been used in one or more of the billions of compromised accounts.
How Concerned Should You Be?
Someone trying to hack one of your accounts, not knowing which of the billions of (now public) passwords you might have personally used, would need to try every password, resulting in billions of failed login attempts. Yet, most accounts are locked down after even just a few failed login attempts.
Furthermore, even if someone has your personal list of logins, most accounts use dual authentication. So, without your smartphone to receive the random code sent by text message, they could not login even with the correct password.
Even for accounts that do not expressly have dual authentication setup, most account logins are smart enough to recognized your common devices used for logging in. You’ve probably seen a message when accessing some of your accounts that states, “This is the first time you’ve logged in from this browser. Please check your email for a message that will allow you to approve the login from this browser.” This is sort of a temporary dual authentication triggered by an unknown device or login location.
When you login to an account, the IP address (a unique number for your modem or access location) is logged. So, future logins from that IP address are considered less of a concern. An IP address may change, but not very often. So, it’s one good measure of user verification. Also, the browser you are using (Chrome, Firefox, Edge, Safari, etc.) is logged. If the IP address, browser, and other characteristics are constant, future logins are permitted. A login from a different IP address, and different browser, may not go through without the email authorization confirmation.
At Risk Assets
An example of an at-risk asset would be the following… Let’s say you have configured password security for a Microsoft Word document, and that document has been obtained by a hacker. The Microsoft Word software may not prohibit the number of login attempts. So, a hacker could try many passwords and probably at some point access your locked document. For a cost of about $700, the latest Apple Mac Mini computer with an M1 Chip has a computational power of 110 trillion operations in 10 seconds. With that kind of computational power, it would not take long to crack the access password for a file. For this reason, online accounts can be more secure if authentication is limited by login attempts and checked against various factors.
What Next
If you find that your passwords are sufficiently common that they are shared by other people in the world and showing up as compromised and publicly available on the dark web, you should probably change them. You’ll need to start using longer more creative and complex passwords.
If your passwords are too complex and hard to remember, that can make life difficult for you. There are many tricks and methods people use to create complex passwords that are easy to remember, such as using a familiar sentence and taking the first letter from each word. Try combining familiar numbers. Use special characters in a way that’s easy to remember.
Using password management software can help you create more complicated passwords and know that they will be saved in a secure way but easy to lookup when you need them.
