The Password you just used was found in a Data Breach...

The safest sites are those that lock you out after a limited number of Password entry attempts, say 3, 5, or even 10.

As I'm getting older, 3 seems slightly too low but, others may disagree

Okay so the password that's been "seen" 97 times is an old one and only in current use on websites where I don't have any sensitive information.  A password that I do use on sensitive sites has been "seen" 9 times.  Is that good enough or will bad actors eventually get around to trying out that password on their favorite websites ?

I play the Lottery and am happy with odds of about 14,000,000/1.

I don't know what the odds are of a Criminal, deciding that your the one, are. But they're shorter than that, but still fairly long.

It's a gamble.

Personally, I reckon that by entering your Password into the 'haveIbeenpwned' website is actually increasing the odds of being used.

If the odds were 1 chance in a 100, then I'd be fine to leave things alone.  Of course I'm thinking about what a huge pain it would be to visit  hundreds of websites for a password change.  Then too, my newer passwords which have not been pwned/seen/listed are just a slightly different versions of the ones that have been seen.  The variations just have a number or special character added.  So if the seen 97 times password is listed all over the place I wonder what the odds would be of someone taking the time/effort to add a number or special character and then gaining access to the newer/unseen passwords.

Okay so the password that's been "seen" 97 times is an old one and only in current use on websites where I don't have any sensitive information.  A password that I do use on sensitive sites has been "seen" 9 times.  Is that good enough or will bad actors eventually get around to trying out that password on their favorite websites ?

Please change the password. The thing isn't that it's been seen 9 times. If the hacker uses a password list that has it, it is over.

I play the Lottery and am happy with odds of about 14,000,000/1.

 

I don't know what the odds are of a Criminal, deciding that your the one, are. But they're shorter than that, but still fairly long.

 

It's a gamble.

 

Personally, I reckon that by entering your Password into the 'haveIbeenpwned' website is actually increasing the odds of being used.

The thing here is if the database gets leaked due to a data breach, hackers can just try millions of password attempts/second (depending on the type of hashing used) per account and it is all automated. So any that gets cracked are the ones that can potentially be hacked down the line.

Also HIBP uses k-anonymity to determine if your password is breached without sending the password over. Basically, it hashes the UTF-8 representation of your password using SHA-1. Then it sends 5 characters and it downloads a list of the remaining hashes and manually checks on the client if the rest of the hash is on the list and its count. To prevent even the side-channel attack of packet length returned by the server to client (as the communication itself is encrypted with TLS), it uses padding with dummy hashes with 0 times seen to ensure every 5-hex-character SHA1 response is the same size.