Help / Your Account

Changing your password

In LedgerBear, you change your password the same way you'd recover a forgotten one: through the password reset flow. There's no separate "change password while signed in" screen, and that's intentional.

How to change your password

  1. Sign out, or open the sign-in page in a new tab.
  2. Click Forgot your password?.
  3. Enter your email address and submit.
  4. Open the reset link we email you and choose a new password.

The step-by-step walkthrough lives in If you forget your password — it's the exact same flow whether you've genuinely forgotten the old password or just want a new one.

Why there's only one path

Routing every password change through email keeps things both simpler and safer:

  • One well-understood flow rather than two that can drift out of sync.
  • It re-verifies you via email every time. Receiving and using the reset link proves you control your inbox — the same factor LedgerBear relies on for multi-factor authentication at sign-in. Changing a password is a sensitive action, so confirming it through that second channel is worth the extra step.
  • It doesn't depend on remembering the old password, which is usually the whole reason you're changing it.

What happens to your other sessions

Resetting your password invalidates every session tied to your user, across every device and browser. If you were signed in on your phone when you reset from your desktop, the phone's session ends and you'll have to sign in again with the new password.

If someone had your old password, they're out now.

Password requirements

LedgerBear requires a minimum of 12 characters, and that's the only hard rule. We deliberately don't impose the old-fashioned "must contain an uppercase letter, a number, and a symbol" requirements. That guidance has fallen out of favor — it tends to push people toward predictable patterns like Password1! without actually making passwords harder to guess. Our approach follows current NIST guidance (SP 800-63B), which favors length and breach-screening over arbitrary complexity rules.

So you're free to use anything you like — a long passphrase of ordinary words, a string from a password manager, emoji, spaces, whatever — as long as it's at least 12 characters and hasn't shown up in a known data breach (more on that below).

Standard advice still applies:

  • Longer is better. Twelve characters is the floor; 16+ or a multi-word passphrase is better.
  • Length beats character-class juggling. A long, memorable phrase outperforms a short, gnarly one.
  • Don't reuse a password you use elsewhere — if another site gets breached, attackers try the leaked credentials everywhere.
  • A password manager (1Password, Bitwarden, your browser's built-in one) makes unique per-site passwords tractable. Generate one, store it, forget it.

"This password has appeared in a known data breach"

If you see that message when setting or changing your password, don't panic — it does not mean your LedgerBear account was breached, and it doesn't mean we somehow have your password on file. It means the exact password you typed appears in a public list of credentials exposed in breaches of other services over the years.

We check this using Have I Been Pwned, a well-respected, independent breach-tracking service that maintains a database of over a billion passwords seen in real-world breaches. Attackers use these same lists to break into accounts — if a password is on one of them, it's a known quantity and a much weaker choice, no matter how long or random it looks.

How the check protects your privacy

We never send your password anywhere. The check uses a privacy-preserving technique called k-anonymity: LedgerBear hashes your password locally, sends only the first five characters of that hash to Have I Been Pwned, and receives back a batch of possible matches to compare against on our end. Your actual password — and even its full fingerprint — never leaves our server. That's also why we can run this check on a password we'll otherwise only ever store in salted, hashed form.

What to do if you hit it

Just pick a different password. The simplest reliable fix is to let a password manager generate a fresh random one. If you were about to reuse a password from another account, this is a good nudge not to.

A quick PSA: if a password you recognize is flagged here, assume it's compromised everywhere you've used it, not just on the site it leaked from. Change it on those other accounts too, and stop reusing it. You can check your own email address at haveibeenpwned.com to see which breaches you've been caught up in — it's free and a genuinely useful habit.