Does this mean I have been hacked?
We’re only suggesting that your password will make it easier for you to be hacked, and we want to recommend that you change it to something more complex.
Protecting the data stored in the ADAM database is a top priority. The primary cause of data loss from any online system is because users have chosen weak or common passwords.
What is wrong with my password?
You may have seen password strength meters or indicators on other websites which provide some indication of how “good” a password is. It might even be that your password has received glowing recommendations from them; after all, it may have uppercase letters, symbols and numbers and is not a word that appears in a dictionary… the list goes on.
Analysis has shown that many of these strength meters are ineffective in their tasks while providing a false sense of security to both the site management and their users. In some instances, the passwords are essentially weaker because they ask you to conform to a fairly predictable pattern.
ADAM has taken a different approach, one that is recommended by the “National Institute of Standards and Technology” (NIST), a US governmental organisation, to check password security. NIST recommend that passwords are instead checked against lists of known passwords that have been gained from websites who have suffered data breaches and had their data published online. To be clear, ADAM is not one of these websites!
This technique is favoured because if malicious actors are to try and hack a system, they are likely to do so with a list of commonly used passwords. The data from the breached sites are used to generate these lists and, as such, you should choose a password that is not on these lists!
It is a recognised fact that passwords are difficult to remember and as such people tend to use the same password for multiple sites on the internet. If a password that you use on other internet sites is reported as being part of a data breach, it is advisable to change the password on all your online accounts. Ideally, no site should have the same password as another.
How does ADAM know that my password is used by other people?
ADAM uses a third-party service called “Have I been pwned?” (pronounced “owned”, a commonly abused typo). Your password is checked against a database of 320 million known and leaked passwords to see if there are any matches. If there are matches, it means that your password may well be amongst the first that get tried when hacking an account.
As such, it is highly recommended that you choose another password for this site and for any others that you may already use this password on.
What makes a good password?
While we can’t argue that introducing uncommon characters and symbols into your password does make it more challenging to guess, the best advice that we can offer is to make your password as long as you can.
There are numerous suggestions that a pass phrase is several orders of magnitude better than any 8-character password. A famous example is of “correct horse battery staple” (don’t choose that one!). It’s easy to type and arguably is significantly more difficult to hack than your average “excellent” password on a strength meter, even though the strength meter might disagree entirely.