- What is a compromised password?
- How can I tell which of my passwords have been compromised?
- What should I do if I see a password that is compromised?
- Other Common Questions
What is a compromised password?
A compromised password is an individual password that has previously been seen in a documented data breach where hackers released the stolen data publicly or sold it on the dark web. To detect compromised passwords, RoboForm checks against a list maintained by Have I Been Pwned (HIBP), a service that collects passwords exposed in data breaches.
How can I tell which of my passwords have been compromised?
Logins with compromised passwords are marked with a red exclamation point icon in the RoboForm extension and in the Security Center.
What should I do if I see a password that is compromised?
You should update it immediately.
To update a compromised password, follow these steps:
1) Click the house icon in the upper left of the RoboForm extension to go to the Start Page.
2) Select "Security Center" in the bottom left navigation tab, then go to the "Compromised" tab.
3) Hover your cursor over top of the Login in the Comprised tab on the Start page and click the "Log In" (play button) button.
4) Once logged in, go to the site’s “Change Password” menu. Use the RoboForm Password Generator to create a complex password rated Strong. From there, RoboForm will save the updated password, remove the exclamation point indication, and update your Security Score accordingly.
For help using the RoboForm Password Generator, click here for our tutorial video and article.
Other Common Questions:
I can't or don't want to change a password marked as compromised. How can I remove the red exclamation point icon ?
Excluding the compromised password from your Security Score will also remove the red exclamation point icon . To exclude a compromised password, follow these steps:
1) Click the house icon in the upper left of the RoboForm extension to go to the Start Page.
2) Select "Security Center" in the bottom left navigation tab, then go to the "Compromised" tab.
3) Hover your mouse over the login you wish to exclude the password for and click the 3 dots which will appear on the right.
NOTE: If you would like to select multiple Logins from the Compromised passwords list, hover your mouse over top of one of the items you wish to select and then check the box which will appear on its left.
Once this box is checked a menu will appear at the top of your Compromised passwords list with options to:
- Exclude from Security Score - Excludes all checked Logins from your Security Score.
- Batch Log In - Opens all checked Logins in new tabs and logs you in to each.
- Move - Allows you to change the folder all checked Logins are stored in.
- Clone - Allows you to duplicate all checked Logins
- Delete - Allows you to delete all checked Logins.
- Select All - Allows you to select every Login in the Compromised passwords list.
4) Select "Exclude from Security Score" from the menu. RoboForm will no longer display the red exclamation point for this Login or include it in your Security Score.
NOTE: If you wish to re-include this Login, you can do so by going to the "Excluded" tab and then clicking the "Include in Security Score" (shield icon) button.
How do I remove the red exclamation point icon from showing up for all Logins?
1) Click the house icon in the upper left of the RoboForm extension to go to the Start Page.
2) In the top right under your account email, click the "Settings" option.
3) Under the "Security" tab, toggle off the "Show compromised passwords indicator" option. Then, click the blue "Done" button in the upper right corner.
How does RoboForm know that a password is compromised?
RoboForm checks against the Pwned Passwords list maintained by HIBP. The list is comprised of hundreds of millions of real world passwords previously exposed in data breaches. This exposure makes them unsuitable for ongoing use as they're at much greater risk of being used to take over other accounts.
How does RoboForm securely and anonymously scan my passwords without revealing them?
The passwords on the full HIBP list of compromised passwords are hashed with SHA-1. In addition, the RoboForm client does not transmit complete password hashes when checking against the list. As discussed in more detail here, we use a technique called k-anonymity in order to verify without revealing the individual password.
Can RoboForm tell me when or where an individual compromised password was hacked?
No. Our provider HIBP does not store any information about who the password belonged to, only that it has previously been exposed publicly and how many times it has been seen.
Comments
0 comments
Article is closed for comments.