How do you know when it's time to change your password?

With the blogs in this series I want to reach not only my typical audience, security professionals, but especially less security aware people to help them improve their personal security. If you think the content is helpful for people you know, share it with them!

The risks of an hacked account

When an unauthorized person gets access to one of your accounts we speak about hacking. Let's take your email account, one of your most important online accounts, as an example.

Once attackers have access to your email account they can send emails on your behalf and read everything in your mailbox. They could also change the password and lock you out of your own account. Even worse they can issue password resets or recovery for applications for which you registered with that email address and take over these accounts as well.

Indicators of hacked accounts

But how do you know if an account has been hacked? Well, there are a few different indicators.

  • When you receive an email that your account was accessed from a location you weren't at that particular moment.
  • A lot of applications also show you which devices are logged in. If you don't recognize one or more of the devices that are logged in this is a sign that something is wrong.
Overview of authenticated sessions and devices for Twitter
  • When you get a confirmation message on your email account that your password was changed but it wasn't you who changed it.
  • When someone tells you that they receive strange emails or text messages from your email account. Often these messages contain suspicious links.
  • When you have no longer access to your account with your current username and password. Note that some online systems temporarily lock you out of your account after a number of failed logins. So not being able to login doesn't always mean that your account is hacked.

What to do?

When your account is hacked, it's important to change your password as soon as possible. And not only for the hacked account but for all accounts for which you use that password you have to change it to a unique one. When the attacker has already changed the password and you're locked out of your account, try to recover your account either directly via the website or by contacting the company.

If the particular website or app provides a way to log out logged in devices - like we saw in the example that I gave about Twitter - log out all suspicious devices.

Later in this blog series I will tell you more about what a good password is about.

Other signals to change your password

There are many security incidents that when they happen require you to change your password. I'm going to highlight the ones that happen most frequently.

When a company suffers a data breach and your username and password get stolen, any account for which you use the same username and password combination are at risk.

But how can you learn that a data breach happened?

Hopefully a company informs you directly via email or on their website when this happens. This is a very recent data breach notice from Zendesk from October 2, 2019.

The problem in this case is that the data breach happened almost 3 years ago and that people's online accounts using that same password were at risk during this period. Relying on a password only is risky business. Later in this blog series I will tell you which additional account security measures you can configure.

In some cases it is even worse. The breached company might not inform you or they only put a notice on their website and you don't have seen it. That's why it's recommended to use services like Have I Been Pwned.

Have I Been Pwned

Have I Been Pwned is only one of the available data breach monitoring tools and services. Do read this blog which describes several different tools in more detail.

Another reason to change your password is if you suspect that you fell for a phishing attack. Phishing is a technique criminals use to lure you to hand over your data data like username and password via links leading to fraudulent websites under their control.


Stay vigilant and when you recognize one of these signals, change your passwords immediately. That's it for today. Stay tuned for more tomorrow!

John Opdenakker

John Opdenakker

Blogger | #Infosec | #AppSec | Security awareness | Occasional Public Speaker | Cycling | Running | Enjoying life