My password has appeared in a data breach, what does this mean?

To ensure the safety of all users of Tryst we have implemented a system check during account creation, login, or password reset that will ensure the password for your account doesn't appear in an existing data breach.

Why do we do this check?

One of the easiest ways for someone to try and take over your account, on any website, is to attempt to log in using email and password combinations found in leaks from other sites, like these ones from Kickstarter, MySpace, and Tumblr. Attackers collate these different breaches together to create large datasets with hundreds of millions of entries and then try to log in to other accounts using the information in them because they know people re-use passwords a lot.

What should I do now?

The number one thing you can do is to use a unique password on every site that you have a login for. Check out our password guide for tips on setting good passwords and using a password manager. If you have seen the warning message when you tried to login to Tryst or sign up for a new account, we recommend that you also change any other account that also uses that same password and replace it with a unique one.

How do we do this check?

The most important thing to know about how we perform this check is that your password never leaves Tryst.

To check if the password you are trying to use has been compromised or not we first hash it, which is a one-way process that turns your password into a long encrypted string of characters. We then compare only the first 5 characters of this hash against a database which gives us back a full list of hashes (several hundred plus!) and we check if your entire hash appears in that list. This way your password never leaves our system and the small amount of data we use to query the database is not able to be used to work out what your password was to begin with.