Why you should always change your logins after a data breach

An iPad with a green background, open but locked with the 'input pin' page open
(Image credit: Unsplash/Jakub Żerdzicki)

Between the first and second quarters of 2023 the number of data breaches worldwide almost tripled,  according to research from VPN provider SurfShark.

Agneska Sablovskaja, Lead Researcher at SurfShark, has even said that this rapid increase in data breaches “highlights that the current data protection measures are not sufficient, and sensitive information remains at risk as cybercriminals continue to access it in ever higher numbers”.

But what actually is a data breach and why do they put your accounts and devices at risk?  A data breach occurs when unauthorized individuals or entities gain access to confidential, sensitive, or protected information. This information may include personal data, financial records, login credentials, or other types of sensitive information. This data exposure is costly; it’s estimated that data breaches cost, on average, $9,440,000 per year, in the U.S. alone. Unfortunately, the impacts do not stop there. In a report by IBM, researchers explain that the use of ransomware (malicious software that encrypts data behind a paywall) in connection with a data breach has increased by 41%, and, when researched in 2022, it took approximately nine months to even identify and contain a breach.

When data is exposed in a data breach, hackers can use it to further their own criminal activities. Credential stuffing is one of the latest methods being used by cybercriminals to compromise your data. These criminals will attempt to gain access to your vital accounts, by utilizing the sad truth that lists of usernames and passwords are routinely stolen from companies and leaked both publicly on the internet and semi privately on the dark web. These extensive lists are key to hackers gaining access, they utilize this information in coordination with bots and other automation techniques to try all possible combinations of username and password across multiple websites, services and social media networks.  

If you either never change your passwords or reuse their passwords across multiple services, this is incredibly useful for hackers. If you reuse passwords across multiple accounts, for cybercriminals this is akin to striking gold as this username and password combination will work and give them access to an array of different websites. This can result in the victim simultaneously losing access to their email accounts, social media pages, bank details and more. 

As part of a large scale investigation New York Attorney General Letitia James  reported that “credential stuffing” was used to compromise 1.1 million online accounts in cyberattacks at 17 well-known companies. The attacks involved repeated, automated attempts to access online accounts using usernames and passwords stolen from other online services. The Office of the Attorney General (OAG) alerted the relevant companies so that passwords could be reset and consumers could be notified quickly. They also released a comprehensive “Business Guide for Credential Stuffing Attacks”  detailing the attacks and how businesses can protect themselves in future. 

“Right now, there are more than 15 billion stolen credentials being circulated across the internet, as users’ personal information stand in jeopardy,” said Attorney General James. “Businesses have the responsibility to take appropriate action to protect their customers’ online accounts and this guide lays out critical safeguards companies can use in the fight against credential stuffing. We must do everything we can to protect consumers’ personal information and their privacy.”

Why is exposed login info a cybersecurity risk?

Despite almost 90% of us understanding that there is significant risk when reusing the same login credentials, 62% of consumers are still frequently repeating passwords, according to new research from LastPass. The survey, which explored the password security behaviors of 3,750 professionals across seven countries, analyzed respondents' answers about their mindsets and behaviors surrounding online security. Shockingly, they found that only 12% of respondents use different passwords for different online accounts. Although respondents in the ‘Gen Z’ demographic (born between 1997-2012) answered most confidently about their password management systems and initially create stronger passwords for social media and entertainment accounts, they were found to have the worst overall password hygiene out of those surveyed. Gen Z respondents recognized the risk of re-use however using a variation of a single password 69% of the time, closely followed by the ‘millennial’ demographic (born between 1981 and 1996) who were found using a variation of a single password  66% of the time. 

This isn’t just an issue for personal accounts either. A report from Bitwarden surveying 800 IT decision-makers from the UK and the US discovered that 90% of users reused passwords in the workplace. This survey also uncovered that of those surveyed, 54% managed passwords with documents on their computer whilst 45% just tried to memorize login credentials. When looking into workplace password sharing, security measures weren’t any better, with 38% of respondents using shared online documents, while 41% simply sharing the passwords via email. Many opted for simple, easy to remember, and therefore easy to guess, passwords such as “password”, or “12345678”. 

Others used the same passwords across multiple services, shared them with their friends and family, or wrote them down somewhere physically such as a post it note on a desk that unintentionally can end up in the back of photographs or be seen through windows. As a response to this, Bitwarden’s report claims roughly half of respondents deploy or have plans to deploy passwordless technology. This includes biometric authentication such as fingerprint scanners, facial recognition software, as well as passkeys.  

Bitwarden CEO Michael Crandell commented on the fact that the survey displayed a desire from businesses for technologies that “reflect passwordless workflows”, saying that this “shouldn’t come as a surprise”. 

“While strong and unique passwords are highly effective at safeguarding data, weak or re-used passwords that are not managed by an end-to-end encrypted password manager present serious vulnerabilities,” he added.

The consequences of hackers gaining access to you login information and therefore your accounts, are very real and can be very scary. In a particularly disturbing case, which illustrates the real, tangible dangers of non secure passwords, a hacker was able to virtually break into a couples ‘smart home’ in Milwaukee, Wisconsin. The owner, Samantha Westmoreland, found her Nest thermostat turned up to 90°. Assuming it was a glitch, she turned it down, however it quickly shot up again. The worst of it followed when a voice began speaking from her Nest security camera in the kitchen and their speaker started playing music that the couple described as ‘vulgar’. The couple changed their passwords but problems persisted, leading them to contact their internet provider and change their network ID.

In a survey carried out by researchers at LastPass, it was discovered generally low levels of confidence when it came to cybersecurity, 70% of the respondents said they were neutral about their cybersecurity fluency, while only 24% are confident and 7% are “not confident”, related to this they found that 40% of respondents used multi-factor authentication (MFA), while only 23% used a password manager

Christofer Hoff, Chief Secure Technology Officer for LastPass, commented that despite more people being online than ever, “there continues to be a disconnect for people when it comes to protecting their digital lives. The reality is that even though nearly two-thirds of respondents have some form of cybersecurity education, it is not being put into practice for varying reasons”. 

He added that “for both consumers and businesses, a password manager is a simple step to keep your accounts safe and secure".

The best password manager in 2024

Anyone can be a victim of cyber attacks, including hugely impactful data breaches. However, the good news is there are simple steps you can take to begin fortifying your own digital security.  

Once easy way is by installing a password manager, this is a software or browser extension that will create, store and manage login information, usually in an encrypted database. Password managers can also help to maximize productivity, automatically suggesting and storing secure passwords that will not need to be manually typed when revisiting the website. 

Many browsers now have automatically integrated password management systems, but using a third-party manager allows you to store, access, and autofill your passwords across all of your platforms and devices. 

 1. NordPass - best overall password manager.

 1. NordPass - best overall password manager.
This feature-packed password manager has just about everything you need for both personal and business use. The premium plan offers great value for money, allowing you to be logged in on six devices simultaneously, without compromising security. 

It will also detect weak or reused passwords as well as notify users of any data breaches that may affect their accounts. NordPass is supported on every platform you could need, including browser extensions for Chrome, Firefox, Edge, Opera, Brave, and Safari; desktop applications for Windows, Mac and Linux; and mobile apps for iOS and Android devices. If that’s not enough your password vault can be accessed directly via the NordPass website too. 

Updates are frequent, too, with new features being added regularly.

2. Dashlane - best password manager for security

2. Dashlane - best password manager for security
Dashlane prioritizes its strong security credentials as a leading feature alongside its easy to use interface. It boasts the ability to store an unlimited amount of passwords and protect them with multi-factor authentication. It also packs in additional handy features like allowing users to store other information besides passwords including delivery addresses and contact details can be filled out in an instant. 

Dashlane also offers a premium tier, which adds impressive additional functions including dark web monitoring, to keep users abreast of any known data breaches that may have affected our accounts. There is also the option with premium to store files securely within the manager as well as an inbuilt VPN.  

Don’t miss these Dashlane promo codes to help reduce the cost.

3. Bitwarden - best free password manager

3. Bitwarden - best free password manager
Bitwarden’s free tier covers standard users' personal and business needs securely. Unless you’re a power user requiring advanced features, it is more than capable of storing all your passwords safely and effectively across all devices. It’s standard free plan features  multi-device synchronization, optional self-hosting and unlimited password storage. The program is ‘open source’, this means that others can contribute to the app's development and view the process. This is helpful for giving users peace of mind that the company will not be able to cover up any flaws. Two factor authentication is also available with the free tie either via email or an authenticator app

If you want to upgrade the premium tier,Bitwarden’s  offers additional 2FA options, including physical security keys and integration with Duo Security, a specialist third party who can provide authentication via its mobile app, SMS message or phone call.  It also includes features for weak password and unsecured website detection, as well as business-focused features such as password sharing, access control and user groups.

Picking the right password manager

When deciding on the best password manager it’s important to consider your own user needs. A good place to start is with your budget, multiple free products offer a reasonable service, but if you want to benefit from more robust security, additional features or more sharing you will have to opt for a paid service. Be sure to also consider if you will be switching across multiple devices, such as between a laptop and mobile phone, and check how many devices different plans allow.  If there are multiple users in your household, consider password managers which allow for a family payment plan to cover all members and their multiple devices. Be sure to also confirm that any password managers will work across the range of devices that you use, including Windows, Apple and Android products. 

However, these seemingly super powerful tools are not without vulnerabilities. A Google advisory published in 2023 highlighted a concerning flaw wherein several password managers could be sneakily deceived into auto-filling credentials on unauthorized sites. It’s important to remain vigilant as online password managers pose risks of their own, although they do elevate usual security standards they can not offer absolute invulnerability. Cybercriminals are able to trick major password managers by skilfully manipulating website components or crafting incredibly persuasive phishing sites. This, alongside users not closely checking the site's authenticity and instead relying on the auto-fill feature can quickly lead to dangerous account breaches.

Best user practices for utilizing password managers include creating robust password. Ensure that you reduce your own vulnerabilities by:

1- . Incorporating alphanumeric characters: Though adding upper and lowercase letters might not drastically enhance password strength, their inclusion can fortify defenses. 

2. Lengthen: Extended character sequences can significantly challenge recovery attempts.

3. Integrate symbols: including symbols has proven more effective than switching between upper and lowercase letters. 

4. Prioritize unpredictability: Crafting unconventional passwords is key. Avoid the temptation of dictionary words or predictable sequences. 

Understanding potential hazards posed by auto-fill features is integral to comprehensive protection. Disable the automatic auto-fill function and opt for a manual trigger instead, reserving autofill activations only after you are certain of the website's authenticity.

How we test password managers

At TechRadar, we’ve personally tested nearly 30 of the leading password managers, so that  you can be sure we’ve found the best options across all budgets. In our comprehensive review process, we analyzed all essential aspects that market leading password managers excel in. These included value for money, ease of use, security, compatibility, device limitations, and storage capacity. During our testing we ensured we tried each password manager out on every available platform and browser to make sure they offered a consistent experience. We also tried to use them in every kind of situation we could think of to reveal any potential shortcomings.

We dedicated a considerable amount of time with each password manager to ensure the experience remained consistent and no unexpected issues arose after the initial use.  If you change your mind, most good password managers offer easy ways to export your vault from one manager to another, so don’t feel you’re stuck if you don’t personally like your first choice password manager. 

For a comprehensive look on how we test check out our full testing methodology page.

Password managers FAQs

What is the difference between free and paid for password managers?

Both offer the comparative levels of protection, but paid password managers usually allow you more features including multi-device options or increased storage. Paid and premium plans may also offer dark web monitoring to alert you if and when your info has been exposed in a data breach, attached VPN’s, direct customer support and the option to store things other than passwords such as delivery addresses or documents.

How do password managers work?

A password manager stores, saves and encrypts your login credentials to sites and apps across your internet use. They will work across multiple devices, and they should feature a browser extension for use on desktop computers, as well as an app for smart devices such as your mobile phone. Your passwords will synchronize across all the devices you use the password manager with.  They will also often generate secure, difficult to guess passwords when setting up new online accounts. 

Do password managers work with apps?

Yes, all the best password managers have an associated app that will work on both Android and Apple iOS devices. Most smartphones combine password managers with two factor authentication utilizing measures like fingerprint biometrics, passcodes and face ID for an extra layer of security.

Are password managers safe?

Mostly yes, although it’s important to remember that they are not infallible. All good password managers will also allow for biometric login and feature multi-factor authentication. It’s a good idea to combine a password manager with other cybersecurity measures to create a robust security kit in the event of any issues as well as to conduct manual authenticity checks of any website requesting your information. 

Can password managers be hacked?

Yes, but any type of computer system can be hacked. Password managers use strong encryption software when storing passwords to make sure they are better protected against hacking.  Our recommended password managers have a great safety record and utilize industry-standard encryption methods to protect your information . 

Should you use your browser password manager?

While this is a convenient and free option, it does have some limitations, for example Apple’s Keychain password manager cannot be synced with Chrome’s password manager. This can lead to things getting disorganized quickly, especially if you have to reset a password. Consider third party options that allow you more comprehensive access. 

Olivia Powell
Tech Software Commissioning Editor

Olivia is the Commissioning Editor for Tech Software at Tom's Guide. With a background in cybersecurity, Olivia stays up-to-date with all things cyber and creates content across sites including TechRadar Pro, TechRadar, Tom’s Guide, iMore, PC Gamer and Games Radar. She is particularly interested in threat intelligence, detection and response, data security, fraud prevention and the ever-evolving threat landscape.

With contributions from