[{"data":1,"prerenderedAt":691},["ShallowReactive",2],{"blog-protecting-identity-after-data-breach":3},{"id":4,"title":5,"alt":6,"author":7,"body":8,"category":669,"description":670,"extension":671,"faq":672,"image":679,"meta":680,"navigation":549,"path":681,"publishedAt":682,"seo":683,"stem":684,"tags":685,"__hash__":690},"blog\u002Fen\u002Fprotecting-identity-after-data-breach.md","Your Data Was Leaked: The 2026 Technical Guide to Stopping Breach Damage","data breach protection checklist with password strength meter and security shield","Alex Vibe, Senior Security Dev",{"type":9,"value":10,"toc":649},"minimark",[11,15,18,21,26,29,36,42,48,59,61,65,68,162,165,170,177,180,191,201,204,214,229,232,234,238,241,246,262,265,271,278,280,284,287,317,319,323,326,346,349,410,413,416,422,428,430,434,437,443,449,455,461,467,478,480,498,500,532,534,538,602,605,607,611,615,618,622,625,629,632,636,642,646],[12,13,14],"p",{},"A breach notification lands in your inbox. Your email, your hashed password — maybe your address — are now sitting in a database someone is selling on a forum for $20. You have a narrow window before automated bots start testing your credentials everywhere you've ever signed up.",[12,16,17],{},"Here's what actually matters in the next 48 hours.",[19,20],"hr",{},[22,23,25],"h2",{"id":24},"the-first-48-hours-triage-not-panic","The First 48 Hours: Triage, Not Panic",[12,27,28],{},"The instinct is to change every password immediately. That's partially right, but unfocused. Start with triage.",[12,30,31,35],{},[32,33,34],"strong",{},"Priority 1 — Identify the blast radius."," What did the breached service store? Email only is low risk. Email + password hash + address is high risk. Email + plaintext password is an emergency. Most breach notifications will tell you what was exposed — read them carefully.",[12,37,38,41],{},[32,39,40],{},"Priority 2 — Map your password reuse."," This is the real damage multiplier. A single compromised password becomes dozens of compromised accounts if you've reused it. Pull up your password manager and filter for accounts using that same credential. No password manager? That's a separate problem — fix it this week.",[12,43,44,47],{},[32,45,46],{},"Priority 3 — Check entropy, not just length."," \"My password is 12 characters\" means nothing without knowing the character set. A 12-character all-lowercase password has about 56 bits of entropy. A 12-character mixed-charset password has ~78 bits. The difference in crack time is orders of magnitude.",[12,49,50,51,58],{},"Use our ",[32,52,53],{},[54,55,57],"a",{"href":56},"\u002Fpassword-strength-checker","Password Strength Checker"," — runs 100% in your browser, zero data sent to any server — to audit every password you think might be weak. Paste it in, read the entropy score, read the crack time. Anything under 60 bits gets replaced today.",[19,60],{},[22,62,64],{"id":63},"why-leaked-passwords-crack-faster-than-you-think","Why Leaked Passwords Crack Faster Than You Think",[12,66,67],{},"When a service gets breached, they rarely store plaintext passwords (hopefully). They store hashes. But not all hashing algorithms are equal — and the algorithm the breached service used determines how fast attackers can reverse your password.",[69,70,71,90],"table",{},[72,73,74],"thead",{},[75,76,77,81,84,87],"tr",{},[78,79,80],"th",{},"Hash Algorithm",[78,82,83],{},"RTX 4090 Speed",[78,85,86],{},"Time to Crack 8-char (mixed)",[78,88,89],{},"Verdict",[91,92,93,108,120,134,148],"tbody",{},[75,94,95,99,102,105],{},[96,97,98],"td",{},"MD5",[96,100,101],{},"164 billion\u002Fsec",[96,103,104],{},"\u003C 1 second",[96,106,107],{},"Deprecated \u002F Dangerous",[75,109,110,113,116,118],{},[96,111,112],{},"SHA-1",[96,114,115],{},"61 billion\u002Fsec",[96,117,104],{},[96,119,107],{},[75,121,122,125,128,131],{},[96,123,124],{},"SHA-256",[96,126,127],{},"23 billion\u002Fsec",[96,129,130],{},"~2 seconds",[96,132,133],{},"Insecure for passwords",[75,135,136,139,142,145],{},[96,137,138],{},"bcrypt (cost 10)",[96,140,141],{},"184,000\u002Fsec",[96,143,144],{},"~6 years",[96,146,147],{},"Acceptable minimum",[75,149,150,153,156,159],{},[96,151,152],{},"Argon2id",[96,154,155],{},"15,000\u002Fsec",[96,157,158],{},"~75 years",[96,160,161],{},"Industry standard 2026",[12,163,164],{},"The math is brutal. If the breached service used MD5 (common in older systems), your hashed password is as good as plaintext the moment someone with a GPU cluster gets the dump.",[166,167,169],"h3",{"id":168},"why-salt-helps-but-doesnt-save-weak-passwords","Why Salt Helps — But Doesn't Save Weak Passwords",[12,171,172,173,176],{},"A well-implemented database adds a unique ",[32,174,175],{},"salt"," (random bytes) to each password before hashing. This defeats precomputed rainbow tables — attackers can't look up your hash in a pre-built dictionary. Each salted hash must be cracked individually.",[12,178,179],{},"The catch: salt only buys time. It doesn't change the underlying crack rate. MD5 with a salt still runs at 164 billion guesses\u002Fsec — the attacker just works through the dictionary one record at a time instead of batch-comparing. If your password has low entropy, salt is a speedbump, not a wall.",[12,181,182,185,186,190],{},[32,183,184],{},"bcrypt and Argon2id are KDFs (Key Derivation Functions)",", not simple hashes. The distinction matters. A KDF is designed to be computationally expensive — the ",[187,188,189],"code",{},"cost 10"," in bcrypt means each guess requires ~100ms of CPU time. That's intentional. Attackers can't parallelize their way past it the way they can with MD5 or SHA-256. This is why your cybersecurity audit checklist for any service storing passwords should ask: \"Does this use bcrypt, scrypt, or Argon2id?\" Anything else is a data privacy risk at scale.",[12,192,193,194,200],{},"Want to see exactly what your password looks like after SHA-256 or SHA-512 hashing? Our ",[32,195,196],{},[54,197,199],{"href":198},"\u002Fhash-generator","Hash Generator"," — Zero-Knowledge, runs entirely in your browser's volatile memory, no data transmitted — lets you hash any input locally and inspect the output format.",[12,202,203],{},"The entropy formula makes this concrete:",[205,206,211],"pre",{"className":207,"code":209,"language":210},[208],"language-text","H = L × log₂(R)\n","text",[187,212,209],{"__ignoreMap":213},"",[12,215,216,217,220,221,224,225,228],{},"Where ",[32,218,219],{},"H"," = entropy in bits, ",[32,222,223],{},"L"," = password length, ",[32,226,227],{},"R"," = charset size (pool of possible characters).",[12,230,231],{},"A password using only lowercase letters (R = 26) at length 10 gives H ≈ 47 bits. Against MD5 at 164 billion guesses\u002Fsec, that's cracked in under a minute. Expand to full ASCII printable (R = 95), same length: H ≈ 66 bits. Now you're looking at years — even against MD5. Length and charset diversity aren't aesthetic choices. They're your actual defense.",[19,233],{},[22,235,237],{"id":236},"what-attackers-do-with-your-data-credential-stuffing","What Attackers Do With Your Data (Credential Stuffing)",[12,239,240],{},"Breached credentials don't just get used on the site that was hacked. They get fed into credential stuffing pipelines — automated tools that test your email\u002Fpassword pair against hundreds of services simultaneously. Gmail, Netflix, banking apps, anything with a login.",[12,242,243],{},[32,244,245],{},"The payload of a typical credential stuffing attack:",[247,248,249,253,256,259],"ul",{},[250,251,252],"li",{},"50,000+ breach records loaded as input",[250,254,255],{},"Rotating residential proxy networks to avoid IP blocks",[250,257,258],{},"Rate-limited request patterns to evade detection",[250,260,261],{},"Automated success\u002Ffailure logging",[12,263,264],{},"It's not a person sitting at a keyboard. It's a script running overnight. If your Spotify password is the same as your Chase password, the attacker doesn't need to know that — the script figures it out.",[12,266,267,270],{},[32,268,269],{},"This is why password reuse is the actual threat model",", not the breach itself. A site leaking your email address is mildly annoying. A site leaking the password you use everywhere is catastrophic.",[12,272,273,274,277],{},"Dictionary attack protection matters here too. Credential stuffing pipelines don't just test exact leaked passwords — they run variations: common substitutions (a→@, e→3), appended numbers, capitalization patterns. A password like ",[187,275,276],{},"P@ssw0rd99"," appears unique but sits in every dictionary attack wordlist. Entropy-based scoring catches this; human intuition doesn't.",[19,279],{},[22,281,283],{"id":282},"auditing-your-exposed-passwords","Auditing Your Exposed Passwords",[12,285,286],{},"Before you start changing things, you need a clear picture of what's actually at risk. Here's the systematic approach:",[288,289,290,296,302,311],"ol",{},[250,291,292,295],{},[32,293,294],{},"Identify the breached service's hash type."," Check HaveIBeenPwned for breach details, or look for security reports from the company. Older platforms often used MD5 or SHA-1 — assume those are cracked.",[250,297,298,301],{},[32,299,300],{},"List every account sharing those credentials."," Password manager exports make this fast. No manager? Search your email for \"welcome\" and \"verify your account\" to reconstruct your account history.",[250,303,304,307,308,310],{},[32,305,306],{},"Check each password's strength independently."," Don't guess — measure. The ",[54,309,57],{"href":56}," gives you entropy bits and three crack-time estimates: online throttled (realistic for web apps), offline MD5 (worst case for bad hash storage), and offline bcrypt (what properly secured systems give you).",[250,312,313,316],{},[32,314,315],{},"Prioritize by account sensitivity."," Email accounts first — they're the master key to everything else via password reset flows. Then financial. Then anything with payment info stored.",[19,318],{},[22,320,322],{"id":321},"the-right-way-to-replace-compromised-passwords","The Right Way to Replace Compromised Passwords",[12,324,325],{},"Don't generate replacements by hand. Your brain is a terrible CSPRNG. Humans are catastrophically bad at producing random output — we have patterns we don't notice, biases toward certain characters, and a tendency to create \"random-looking\" sequences that are actually low-entropy.",[12,327,328,329,332,333,337,338,341,342,345],{},"Avoid any generator that uses ",[187,330,331],{},"Math.random()",". It's seeded from system time and is fundamentally predictable. Our ",[54,334,336],{"href":335},"\u002F","Password Generator"," uses the ",[32,339,340],{},"Web Crypto API"," (",[187,343,344],{},"crypto.getRandomValues()","), ensuring your entropy source is as secure as your operating system's kernel.",[12,347,348],{},"For replacements, use these minimums:",[69,350,351,364],{},[72,352,353],{},[75,354,355,358,361],{},[78,356,357],{},"Account Type",[78,359,360],{},"Minimum Length",[78,362,363],{},"Minimum Entropy",[91,365,366,377,388,399],{},[75,367,368,371,374],{},[96,369,370],{},"Email (master key)",[96,372,373],{},"20 chars, full charset",[96,375,376],{},"128 bits",[75,378,379,382,385],{},[96,380,381],{},"Financial \u002F banking",[96,383,384],{},"18 chars, full charset",[96,386,387],{},"110 bits",[75,389,390,393,396],{},[96,391,392],{},"Social \u002F work accounts",[96,394,395],{},"16 chars, mixed charset",[96,397,398],{},"80 bits",[75,400,401,404,407],{},[96,402,403],{},"Low-risk (newsletters, etc.)",[96,405,406],{},"14 chars, mixed charset",[96,408,409],{},"70 bits",[12,411,412],{},"If you use a password manager (you should), generate 20+ character random passwords for everything. You only need to remember one master password — make that one a passphrase with 5+ words from a proper wordlist, not a pet's name with a number appended.",[12,414,415],{},"For passphrases, the entropy formula shifts:",[205,417,420],{"className":418,"code":419,"language":210},[208],"H = W × log₂(7776) ≈ W × 12.9\n",[187,421,419],{"__ignoreMap":213},[12,423,216,424,427],{},[32,425,426],{},"W"," = word count, and 7,776 = words in the EFF large wordlist (used in proper diceware generation). Five words gives ~64.6 bits — decent. Six words gives ~77.5 bits — strong. Seven words gives ~90 bits — very strong and still memorable.",[19,429],{},[22,431,433],{"id":432},"beyond-passwords-closing-the-other-attack-vectors","Beyond Passwords: Closing the Other Attack Vectors",[12,435,436],{},"Changing passwords handles credential stuffing. It doesn't handle everything.",[12,438,439,442],{},[32,440,441],{},"Enable TOTP-based 2FA immediately."," SMS-based 2FA is better than nothing but is vulnerable to SIM-swap attacks — an attacker ports your number to a new SIM and intercepts your codes. TOTP apps (Authy, Google Authenticator, 1Password) generate time-based codes locally. They're phishing-resistant and don't require a network connection to work.",[12,444,445,448],{},[32,446,447],{},"Passkeys are the 2026 gold standard."," If a service supports Passkeys (FIDO2\u002FWebAuthn), enable them. Passkeys are phishing-resistant by architecture — they bind to the exact origin domain at registration time, so a fake login page can never intercept them. Unlike TOTP, there's no code to steal. Unlike SMS, there's no number to SIM-swap. The private key never leaves your device. For high-value accounts (email, banking, password manager), migrate to Passkeys the moment the service supports them.",[12,450,451,454],{},[32,452,453],{},"Freeze your credit."," If the breach included SSN, date of birth, or address data, freeze your credit at all three bureaus (Experian, Equifax, TransUnion) and ChexSystems. Free in the US since 2018. It prevents new credit lines from being opened in your name — the most common identity theft vector after financial credential theft.",[12,456,457,460],{},[32,458,459],{},"Set up breach monitoring."," HaveIBeenPwned allows email monitoring with notifications for new breach inclusion. This catches future exposures before attackers act on them.",[12,462,463,466],{},[32,464,465],{},"Rotate your email address strategy."," Consider email aliasing — services like SimpleLogin or Apple's Hide My Email generate per-site addresses. A breach at a low-security site exposes only that alias, not your primary email. Attacker's spam list grows, your actual inbox stays clean.",[12,468,469,472,473,477],{},[32,470,471],{},"Use random identifiers, not real names."," For accounts that don't legally require your real identity, stop using your name as a username. Generate a ",[54,474,476],{"href":475},"\u002Fuuid-generator","UUID v4"," — 122 bits of cryptographic randomness — as a profile identifier. Even if the service breaches, the exposed username is a meaningless string with zero linkage to your other accounts or real identity.",[19,479],{},[481,482,483,488],"blockquote",{},[12,484,485],{},[32,486,487],{},"Pro Tip for Devs",[12,489,490,491,494,495,497],{},"If you're a developer, run a quick audit: grep your codebase for hardcoded credentials, check that your ",[187,492,493],{},".env"," files aren't committed to version control, and verify your password storage uses bcrypt or Argon2id — not MD5, SHA-1, or unsalted SHA-256. A data breach in a service you built is a different kind of bad day. Environment variable values should be high-entropy random strings — treat your ",[187,496,493],{}," secrets like passwords, because they are.",[19,499],{},[481,501,502,507,510],{},[12,503,504],{},[32,505,506],{},"🛡️ Security Checkpoint — Complete This Step",[12,508,509],{},"Your breach window is open right now. Every hour of reused credentials is another hour of active exposure to credential stuffing pipelines.",[247,511,512,519,525],{},[250,513,514,515,518],{},"→ ",[54,516,517],{"href":56},"Audit your password strength"," — measure entropy and crack time before you decide what to replace",[250,520,514,521,524],{},[54,522,523],{"href":335},"Generate breach-resistant replacements"," — Web Crypto API, full charset, minimum 16 characters",[250,526,514,527,531],{},[54,528,530],{"href":529},"\u002Fblog\u002Fpassword-security-best-practices","Check your password security practices"," — full stack: 2FA, breach monitoring, email separation",[19,533],{},[22,535,537],{"id":536},"the-48-hour-checklist-printable","The 48-Hour Checklist (Printable)",[247,539,542,552,558,564,572,578,584,590,596],{"className":540},[541],"contains-task-list",[250,543,546,551],{"className":544},[545],"task-list-item",[547,548],"input",{"disabled":549,"type":550},true,"checkbox"," Identify what data type was exposed (email \u002F hash \u002F plaintext \u002F PII)",[250,553,555,557],{"className":554},[545],[547,556],{"disabled":549,"type":550}," Check breach details at HaveIBeenPwned",[250,559,561,563],{"className":560},[545],[547,562],{"disabled":549,"type":550}," Audit all accounts sharing the compromised password",[250,565,567,569,570],{"className":566},[545],[547,568],{"disabled":549,"type":550}," Check each password's entropy score at ",[54,571,56],{"href":56},[250,573,575,577],{"className":574},[545],[547,576],{"disabled":549,"type":550}," Replace any password under 60 bits of entropy",[250,579,581,583],{"className":580},[545],[547,582],{"disabled":549,"type":550}," Replace the breached service's password with a 20+ char random string",[250,585,587,589],{"className":586},[545],[547,588],{"disabled":549,"type":550}," Enable TOTP 2FA on email and financial accounts",[250,591,593,595],{"className":592},[545],[547,594],{"disabled":549,"type":550}," Freeze credit if PII was exposed",[250,597,599,601],{"className":598},[545],[547,600],{"disabled":549,"type":550}," Set up breach monitoring on primary email",[12,603,604],{},"One breach handled correctly protects you from the next five. The goal isn't to panic — it's to close the open blast radius methodically and make your accounts structurally harder to compromise the next time a database somewhere gets dumped.",[19,606],{},[22,608,610],{"id":609},"frequently-asked-questions","Frequently Asked Questions",[166,612,614],{"id":613},"what-should-i-do-immediately-after-a-data-breach","What should I do immediately after a data breach?",[12,616,617],{},"Change every password that shares credentials with the breached service — that's your first priority. Then enable 2FA on all accounts, starting with email. Use an entropy-based strength checker to audit your existing passwords; anything under 60 bits is a liability. Don't rely on gut feeling about which passwords are \"strong enough\" — measure them.",[166,619,621],{"id":620},"how-do-hackers-use-stolen-passwords-from-data-breaches","How do hackers use stolen passwords from data breaches?",[12,623,624],{},"The primary attack vector is credential stuffing: automated pipelines that test leaked username\u002Fpassword pairs across thousands of sites simultaneously. The tools are cheap, the lists are large, and the attacks run continuously. If you've reused a password across any two services, a single breach compromises both accounts — often within hours of the dump appearing online.",[166,626,628],{"id":627},"how-long-does-it-take-to-crack-a-leaked-password","How long does it take to crack a leaked password?",[12,630,631],{},"It depends entirely on how the breached service stored your password. If they used MD5 (common in older systems), an RTX 4090 GPU runs at 164 billion guesses per second — an 8-character mixed-charset password cracks in under 2 seconds. bcrypt at cost 10 drops that to 184,000 guesses\u002Fsec — the same password takes years. The hashing algorithm is half the equation; your password strength is the other half.",[166,633,635],{"id":634},"is-it-safe-to-type-my-real-password-into-a-strength-checker","Is it safe to type my real password into a strength checker?",[12,637,638,639,641],{},"Only if the checker is fully client-side. Our ",[54,640,57],{"href":56}," runs entirely in your browser tab — the input never leaves your device, is never transmitted, and is discarded when you close the tab. The entropy calculation is pure JavaScript running locally, with no network requests.",[166,643,645],{"id":644},"what-is-credential-stuffing-and-how-is-it-different-from-brute-force","What is credential stuffing and how is it different from brute force?",[12,647,648],{},"Brute force tries every possible combination against a single account. Credential stuffing takes known username\u002Fpassword pairs from a breach and tests them across many services. It's faster, harder to detect (valid credentials succeed on first try), and scales across thousands of targets simultaneously. The defense is unique passwords per service — credential stuffing is useless if you don't reuse credentials.",{"title":213,"searchDepth":650,"depth":650,"links":651},2,[652,653,657,658,659,660,661,662],{"id":24,"depth":650,"text":25},{"id":63,"depth":650,"text":64,"children":654},[655],{"id":168,"depth":656,"text":169},3,{"id":236,"depth":650,"text":237},{"id":282,"depth":650,"text":283},{"id":321,"depth":650,"text":322},{"id":432,"depth":650,"text":433},{"id":536,"depth":650,"text":537},{"id":609,"depth":650,"text":610,"children":663},[664,665,666,667,668],{"id":613,"depth":656,"text":614},{"id":620,"depth":656,"text":621},{"id":627,"depth":656,"text":628},{"id":634,"depth":656,"text":635},{"id":644,"depth":656,"text":645},"Security","Got a breach notification? Here's exactly what to do in the first 48 hours — audit exposed passwords, stop credential stuffing, and lock down your identity fast.","md",[673,675,677],{"question":614,"answer":674},"Change every password that shares credentials with the breached service. Enable 2FA on all accounts. Check your reused passwords using an entropy-based strength checker — anything under 60 bits needs replacing now.",{"question":621,"answer":676},"Through credential stuffing — automated bots test leaked username\u002Fpassword pairs across thousands of sites simultaneously. If you reuse passwords, a single breach compromises every account sharing those credentials.",{"question":628,"answer":678},"Depends on the hash. An MD5-hashed 8-character password cracks in seconds on an RTX 4090 at 164 billion guesses\u002Fsec. A bcrypt-hashed 16-character password takes centuries. The algorithm matters as much as your password strength.","\u002Fimages\u002Fblog\u002Fprotecting-identity-after-data-breach.webp",{},"\u002Fen\u002Fprotecting-identity-after-data-breach","2026-04-30",{"title":5,"description":670},"en\u002Fprotecting-identity-after-data-breach",[686,687,688,689],"data breach protection","identity theft","password security","credential stuffing","Ky0jXcwqpp5EGLd56uB0i0jnMP7J5DcYH9j0YLanRY0",1778313696170]