Last month I got the email everyone dreads: "Your account may have been compromised in a data breach."
I checked. Same password on 47 other sites.
Manually changing 47 passwords takes 4-8 hours. I did it in 30 minutes. Here's how.
The math that made me automate this
| Accounts | Manual time | Automated |
|---|---|---|
| 10 | 1-2 hours | 10 min |
| 25 | 2-4 hours | 20 min |
| 50 | 4-8 hours | 40 min |
| 100 | 8-16 hours | 1.5 hours |
Each manual password change:
- Open site, log in (30 sec)
- Navigate to settings (20 sec)
- Find password section (15 sec)
- Generate new password (10 sec)
- Enter old + new password (20 sec)
- Submit, verify (15 sec)
- Update password manager (20 sec)
~2.5 minutes per site. Times 50 sites. You see the problem.
The 72-hour window
Security researchers call it the "golden window" - the 72 hours after breach disclosure when:
- Credentials haven't hit dark web marketplaces yet
- Attackers are still processing the data
- You can get ahead of the damage
After 72 hours, your leaked password is being tested against thousands of sites by automated credential stuffing tools.
How I automated password rotation
I built an AI agent using browser-use (89% benchmark score, open source).
The flow:
from browser_use import Agent
async def rotate_password(site: str, old_pass: str, new_pass: str):
agent = Agent(
task=f"""
Go to {site}
Navigate to account settings
Find password change section
Call enter_current_password() for old password field
Call enter_new_password() for new password fields
Submit and verify success
""",
llm_model="gpt-4o"
)
# Credentials injected locally - AI never sees actual passwords
result = await agent.run(
sensitive_data={
"current_password": old_pass,
"new_password": new_pass
}
)
return result
The key security insight: the AI navigates the UI, but credentials are injected locally. The LLM never sees your actual passwords.
Priority system for breach response
Not all accounts are equal. Here's how I prioritize:
| Priority | Type | Examples | Why |
|---|---|---|---|
| P0 | Financial | Banks, PayPal | Direct money loss |
| P0 | Gmail, work email | Password reset gateway | |
| P1 | Cloud | iCloud, Dropbox | Sensitive documents |
| P2 | Shopping | Amazon, eBay | Stored payment methods |
| P3 | Social | Twitter, LinkedIn | Reputation |
| P4 | Misc | Forums, loyalty | Lower impact |
P0 accounts first. Always.
Handling the edge cases
2FA prompts: Agent pauses, you complete 2FA, agent continues.
Agent paused: MFA required for chase.com
Please complete verification in browser window.
[Continue] [Skip]
CAPTCHAs: Same pattern - agent pauses for human solve, then continues.
Site-specific password rules: Agent adapts generation:
# Site requires 8-16 chars, no symbols
password = generate(
min_length=8,
max_length=16,
symbols=False # Adapted for this site
)
Anti-bot protection: Use your real Chrome profile with cookies/history. Success rate jumps from 60% to 90%.
The results
Tested on 100+ sites:
- 89% success rate (automated fully)
- 8% required human intervention (CAPTCHAs, unusual flows)
- 3% failed (heavy anti-bot, manual only)
Time for 50 accounts: 32 minutes (with ~15 2FA prompts)
Why local execution matters
Every cloud-based automation tool (Operator, Claude CUA) sends screenshots to external servers. For password changes, that means:
- Your bank login screen → OpenAI's servers
- Your credentials being typed → visible to provider
- Every site you use → logged somewhere
For breach response, I want zero data leaving my machine.
The tool I built
I packaged this into a Mac app: thepassword.app
- Import CSV from any password manager
- AI rotates passwords (visible browser, you watch it work)
- Export new passwords back to your manager
- Everything runs locally
Free tier: 5 passwords/month. Unlimited: $2.99/month.
Your breach response checklist
First hour:
- [ ] Identify what was breached
- [ ] Enable login alerts on bank + email
- [ ] Check password reuse
First 24 hours:
- [ ] Change P0 accounts (financial, email)
- [ ] Enable 2FA everywhere
- [ ] Review recent account activity
First 72 hours:
- [ ] Rotate all reused passwords
- [ ] Update password manager
- [ ] Set up credit monitoring if needed
Have you automated any part of your security workflow? What's your breach response process look like?
Top comments (0)