
Hundreds of thousands still using breached usernames and passwords - GiulioS
https://secalerts.co/article/hundreds-of-thousands-still-using-breached-usernames-and-passwords/e1412d1b
======
bradknowles
So, the problem here is that many of these tools just look to see if you’re
using an address that is known to have been compromised on that site. But I
changed my password on that site, so I’m no longer vulnerable to that
compromise. But the tool just sees my address and doesn’t know of or
acknowledge the fact that I have already remediate that one.

As for using an insecure password, I fix those as I come across them, and
store the new fixed password in my secure password manager. But just because I
happen to have used a password in the past on a given site that is now known
to be weak, doesn’t mean that password on that site has actually been
compromised — the password is just weak and needs to be replaced.

These tools need to get better at detecting the real compromise and the
remediation thereof, and not just crying wolf over the fact that my e-mail
address on that site may have lead attackers to a password that I once used
long ago, but which I haven’t used anywhere else.

