Got an email saying my password is weak, reason for concern?

Question

I recently received an email from a well-known company stating that the password I use is weak and can be easily guessed.

The email seems legit with no attempt to steal information, they only say "log into your account and go to account->account details to change your password" with no link that they can fake or anything.

How do they know that my password is weak?
Are they not supposed to not know my password because it is encoded when they save it?
Should I be concerned about the way they handle my information?

The company the email is from is a pretty major and well-known company. I have not used their service or logged in for a few months.

Github^H^H^H^H^H^H A well known company is known to use the PwnedPasswords API from HaveIBeenPwned, and has been sending out legitimate emails over the past several weeks. They check your password when you log in, do not store it in plaintext, and flag your account until you change your password. Use a password manager and select a random, unique password for each site that you're able to. — Ghedipunk, Oct 23 '19 at 19:07
@NathanHinchey ^H stands for the backspace character, so the comment is supposed to look as if Ghedipunk first wrote "Github", then decided to delete the name and write "a well known company" instead, as in "I don't want to tell you who did it, but .... ah, who cares, I'll tell you anyway" — Hagen von Eitzen, Oct 24 '19 at 18:06

score 147 · Accepted Answer · answered Oct 23 '19 at 10:32

147

They do not need to be able to read your password to test it against known weak and guessable passwords. All they need to do is to try all the guessable passwords against your password. It can be properly hashed and salted, as they are supposed to do.

They can do this quickly because they have legitimate access to the password hashes and can simply have tests running in the background. There are even services out there for companies to use that hold leaked passwords from other known leaked password databases.

Of course, once they test it, then they might know what your password is (depending on how they tested it), but then, so can attackers using the same method.

So, there is no indication of improper password handling. No reason for concern. But, if their automated testing found it, then your password is probably very guessable and should be changed as soon as possible.

answered Oct 23 '19 at 10:32

schroeder

125,553
55
289
326

2

Shroeder nailed it with this answer. You may also want to take a look at the full headers of the email that you received to see if any SPF or DKIM checks passed. If the headers show that these checks passed, then it's unlikely that the email was spoofed. – mti2935 Oct 23 '19 at 13:58
1

Even if the email was spoofed, rotating your password periodically and making sure it is something strong is just a good idea anyway. Just make sure you do so using the company's actual website and not through any link included in the email. – Seth R Oct 23 '19 at 19:01
3

just to make clear that they do not even need to attempt to login with these weak passwords on your account: they can simply generate the hashes of all "weak" passwords and send an email to anyone that has a matching hash in the db. – Frank Hopkins Oct 23 '19 at 22:19
110

"Your password is easy to crack" "How do you know?" "Well, we cracked it." – corsiKa Oct 24 '19 at 01:02
5

@FrankHopkins That only works for unsalted hashes, which would still be concerning since it means that they don't follow basic security standards. – Morfildur Oct 24 '19 at 05:17
@Morfildur true in the sense that they cannot use the same hash for every account, but the main point I wanted to make was that they do not need to attempt a login nor be sure they found your password (hash collision still possible even though potentially unlikely dep. on hashing method) – Frank Hopkins Oct 24 '19 at 09:28
5

@SethR Rotating your password periodically is bad advice. It does not strengthen security, and may weaken it. Making sure your password is strong is of course, excellent advice. – Martin Bonner supports Monica Oct 24 '19 at 10:26
1

@martinbonner I think you got things confused. Forcing password changes on a tight schedule leads to insecure password choices. Changing your passwords to strong passwords periodically is good advice. – schroeder Oct 24 '19 at 10:45
1

@schroeder Changing passwords once to strong passwords is good advice. There is minimal benefit to changing them again (unless there is reason to think they have been compromised of course). It is the "periodically" I am objecting them to. – Martin Bonner supports Monica Oct 24 '19 at 12:28
3

@MartinBonner unless you are unaware that it has been compromised. There is a reason why products like CyberArk change passwords once used. In my environment, if passwords *never* expired, I could have people with very sensitive access to data with passwords that exist for 15 years. The threats against those accounts are inherently stealthy and quiet and have a desire to maintain access for as long as possible. I have to insist on periodic changes to mitigate that threat that will never expose themselves. – schroeder Oct 24 '19 at 12:51
@MartinBonner Depends on the risk potential... More sensitive enviroment -> more risk potential. More risk potential -> More bruteforce attacks suffered -> More attacks suffered -> Hashes live cycle need to be shorter. – bradbury9 Oct 24 '19 at 14:33
Wouldn't it be simpler for them to just check the complexity of your password (or see if it's in pwned passwords) when you log in? No need to waste computing energy on cracking millions of passwords. Off course, this would not catch dead accounts, though. – Anders Oct 24 '19 at 15:02
1

@Anders "I have not used their service or logged in for a few months" -- and I'm not sure what I think about server-side inspection of plaintext passwords for purposes other than authentication. – schroeder Oct 24 '19 at 15:08
1

I would also warn the person from clicking on any links contained in the email. Go to the website manually and reset your password. – Reimus Klinsman Oct 25 '19 at 17:39
@KeiNagase OP said there was no link – schroeder Oct 25 '19 at 18:32
1

@schroeder I think it might be good including that just for future readers who have a similar problem as the OP. their email may have a link and could be a phishing attack – Reimus Klinsman Oct 25 '19 at 19:01

score 14 · Answer 2 · answered Oct 23 '19 at 10:35

14

The email may be totally legit, you don't actually need to know the password in plaintext to know that it has been part of a data breach, just that the hash of your password is in a data breach, that's how the API of haveibeenpwned works for example.

Furthermore if your password is weak you should probably change it :)

answered Oct 23 '19 at 10:35

kudrom

379
1
4

2

This is a summary of the previous answer – tungsten Oct 23 '19 at 10:49
14

I know mate, I must have published it at the same minute :) – kudrom Oct 23 '19 at 16:48
10

As worded, this is actually not the same as the other answer. It implies that it is the hash of the password which is checked against leaked hashes (which does not make the password weak per se, just weak because the hash was leaked), which would imply that either both the leak and the present system do not salt hashes, or that the leak comes from the present system! If you have a salted hash, you cannot check it against other hashes of the same password (salted or otherwise). You cannot use the haveibeenpwned API with a properly salted hash, you need to know the cleartext. – jcaron Oct 24 '19 at 07:01
5

@jcaron which would make this answer wrong, assuming best practices. – schroeder Oct 24 '19 at 15:11
@schroeder which makes your comment "wrong", assuming pedantry. ie This answer usefully addresses a possible aspect of the issue so, while not as correct as some, is useful enough to leave alone. | The same may be said about my comment :-). – Russell McMahon Oct 26 '19 at 00:45

Steve Summit · Answer 3 · 2019-10-25T20:39:42.547

The other answers are fine, but there's an at least theoretical second possibility which you touched on in your question and which bears discussing. (This is totally obvious to the security paranoids out there, but maybe not everyone else.)

If the "you have a weak password" message did not come from the site it claims to, and if the sender of that message -- who is actually an outside attacker -- has a way to eavesdrop on, and is lurking there waiting for you to, log in and reset your password as requested, then boom, he's got his hands on your new, "more secure" password (even though he may not have had any idea what your old password was, or how weak or string it was).

How could an attacker eavesdrop on your password reset session? * compromised the part of the site that accepts password change requests * sniffing your Internet connection somehow * gave you a helpful link in the email which points at a different site that mimics the real site

@darnok mentioned being careful about exactly the right two things:

verified that "the email seems legit"
noted that the email did not have a convenient link, that the suggested action was to "log into your account and go to account->account details to change your password"

But, these days, if you get such an email, I'd say you're right to be concerned. If you were the victim of a well-resourced attempt to steal your password, this is exactly what it might look like.

Got an email saying my password is weak, reason for concern?

3 Answers3