How to tell if your password has been stolen

How to tell if your password has been stolen

by

Creating a strong, unique password and storing it in a password manager or browser is not good enough. You need to know if and when your password was stolen in a password breach, so that you can act quickly enough to change that password before your personal information is potentially compromised. See how.

It’s been some time since massive 2019 collection breaches have leaked literally billions of email addresses and passwords to the web, putting the security of those accounts at risk. The problem that users faced at the time was a limited number of ways to know if they were really at risk. There are now many password monitoring services that reveal whether your password has been stolen. Many are designed to allow you to take actions quickly and change them.

More stories

The best password managers

Why your browser’s password manager is not good enough

5 alarming facts in honor of World Password Day

Basic services to reveal email violations

Two reliable services to verify this information existed at the time of the Collections violation, and still exist: HaveIBeenPwned and a service administered by the Hass-Platner-Institut in Potsdam, Berlin. They both ask you to enter your email address (not your password!), And both will compare your email address with a database of known violations.

Both services have their appeal. HaveIBeenPwned’s reputation attracts those who wish to publicize their attacks, so the site’s violation report appears comprehensive. The website will list violations in which an email address has been detected, along with any resulting information – such as your gender or your phone number, for example. The site organizes violations for the wholesale service, not the date. Why is it important? Because if your email was exposed to a breach in 2016, for example, it’s likely that your password has been changed since then. But if your email and password were exposed last month, you’ll want to change them right away.

haveibeenpwned's details HaveIBeenPwned.com

HaveIBeenPwned provides a great deal of information regarding violations, but it could be better organized.

HaveIBeenPwned also publishes infringement information for any email address, which is useful for checking on friends and family, although not the most concerned with privacy.

The HPI service takes a different approach. It lists violations by date, along with a matrix of what information has been exposed. If you enter an email address on the website, it will send a security report to that specific email, along with a color-coded chart of what data is at risk and which violation.

Hass-Platner-Institut hpi identity leak checker Hass-Platner-Institut

HPI will send you a matrix of what information has been released together with your email, organized by the most recent.

Browsers are adding password monitoring for free

Both of the above services reveal only if a specific email address was part of a breach, however – not if a non-email username – “billg,” say – was exposed. Here, you want a reliable service that you know you, as well as the passwords you chose. Don’t go chasing random websites to “check” your passwords – you’ll want to keep some trusted names. (Also, note that password monitoring is a paid service for most password managers, but not for password managers in a web browser.)

Google password verification

In 2019, Google added a free browser plugin for Chrome that warned, once you’ve signed in to a compromised website, if your email or password has been compromised. In October 2019, Google started automatically verifying passwords for breaches and, starting with Chrome 79, started monitoring their online use to avoid being “phishing” or tricked into disclosing their password under false pretenses.

inline google password verification Mark Hachman / IDG

The Google Password Checker has a useful dashboard to show whether your password has been compromised.

Now, if you go to passwords.google.com and authenticate, Google’s online password verification will provide a quick dashboard of which passwords have been exposed in security breaches, which have been duplicated on multiple sites, and which can be improved with more complex passwords to avoid being easily broken if a breach occurs. There are also links to change passwords on the websites themselves. However, this works only if you have stored passwords using Google itself.

Firefox Lockwise

Firefox Lockwise, part of the free Mozilla Firefox browser, works a little differently. It does not offer the recommendations that Google makes about redundant and weak passwords, but its password monitoring feature works in a similar way. It also seems to work regardless of whether you have stored a password in Firefox or simply imported passwords from another browser. However, like Google, it needs to “know” your password, which requires you to store it in your browser.

The easiest way to get to Lockwise is to type about: logins in the Firefox URL bar.

edited firefox lockwise password protection Mark Hachman / IDG

Firefox Lockwise integrates password monitoring within the Firefox browser.

If a password is exposed, you will see a bright red banner, the account and password in question and a link to access the account in question. (You can also flag accounts that you may have already deactivated, as with a LinkedIn breach that showed me that it was linked to a previous work account.)

Microsoft Edge password monitor

Last year, Microsoft promised a next Password Monitor within Microsoft Edge, and it will soon be released as part of Microsoft Edge 88. Like other similar services offered by other browser manufacturers, it will be free.

Microsoft Edge Password Generator Microsoft

Edge is launching a complex password generator and, soon, a password monitor as well.

Paid password monitoring: password managers

We’ve already reviewed password managers, which are the most convenient way to manage passwords. Below is a summary of which password managers do what in terms of monitoring.

Last pass

Although LastPass offers a robust and free version of the password storage services that browsers offer, password monitoring is a service that LogMeIn’s LastPass service charges for. LastPass will keep an eye on the “dark web” in case a password is leaked – but it will also send a notification when that happens, something that the browser manufacturers still don’t do. Is this heads-up worth the $ 3 charged by LastPass per month for the service? If you value blocking your personal data immediately, it may be.

last password panel Last pass

LastPass monitors the dark web for breached passwords, for a small monthly fee.

Dashlane

Dashlane also considers “dark web” monitoring to be a paid service and charges $ 6.49 a month for it.

1 password

1Password does not offer a free tier, but its basic $ 2.49 / month service includes what the company calls “Watchtower”, which alerts you to compromised passwords, as well as those that must be updated because they are weak. 1Password actually works with the HaveIBeenPwned service to verify your passwords (not your email) in your cracked password database. But as an added security measure, 1Password sends only part of your password (or, specifically, part of the password hash), collects all potential matches and checks them privately on your machine.

1 watchtower with password 1 password

1 Password Watchtower password monitoring service.

Other password managers tend to charge small fees for password monitoring, but who knows? It is possible that the competitive influence of Microsoft and Google, in addition to Mozilla, could pull password monitoring back to a free service in the coming years.

Note: When you buy something after clicking on links in our articles, we can earn a small commission. Read our affiliate link policy for more details.

Source