Password Monitors
Time to check if your passwords have been stolen.
If you’re a user of Microsoft’s Edge browser, in the last couple of months you may well have encountered a new kind of security popup, one telling you that a password you have is compromised. This is the result of Microsoft adding a new Password Monitor into the browser platform early this year.
This type of security tool isn’t new – both Firefox and Chrome already have these tools built in, though they generally aren’t so in-your-face about notifying you of a breach. There are also password monitors built into the paid versions of a number of Password Manager services and several free websites that will do the job as well.
If you’re not already, all of these are definitely worth using and making part of your regular security precautions. Anybody who has ever experienced this kind of breach will know that it can result in a cascade of issues.
So what does a password monitor do?
Password monitors are a relatively new kind of security service, only becoming prevalent in the last couple of years as the number of corporate security breaches has piled up. Breaches of business and government security systems are so common now that they barely even make the news anymore, but nonetheless those breaches have results in hundreds of millions of user passwords being leaked to the dark web.
What a password monitor or checker does is gather those lists of known leaked passwords and compare them to your stored passwords to see if any of your password has been leaked. In some cases they will also or alternatively do a check of your email address (which is now almost universally used as the username) to see if it appears in any of those leaked databases.
These services, it should be recognised, are far from flawless. Not every leaked password makes it onto the public dark web. Many are held and sold privately to criminal groups, so won’t appear on the list of known leaks.
If there is a hit and one of your passwords has made it into the wild, it’s critical that you change it immediately. Some services, like Dashlane and LastPass, have an automatic password changer for selected sites built in, but otherwise you’ll need to do it manually.
A look at the password monitors available
The browsers
The major browsers all have password checkers built in now. They do require that the passwords being checked be in the browser, so if you use a third party password manager like LastPass, these will not be effective.
Google Chrome First available as an Extension then fully integrated into Chrome in 2019, Google’s password checker will go through all the passwords saved in your Google Account and check them against the known list of leaked passwords. It only works for passwords stored in your Google Account and you must be logged into Google to run the check.
You can either do it from the browser by going to Settings > Safety check, or better yet by going to passwords.google.com and selecting the option to go to Password Checkup.
Microsoft Edge Microsoft Edge is more aggressive about telling you about compromised passwords, and will run a regular automatic check in the background. If it detects a compromised password, it will take you to the Password
Monitor. Alternatively, you can go to the Monitor by typing edge:// settings/passwords/ passwordmonitor into the Edge address bar.
Any compromised passwords will be listed, with a link to the website to change it. If it’s an old password that you’ve already changed or closed the account (or simply don’t care about), but is still in your password manager, you can put it on Ignore.
Mozilla Firefox Firefox’s Lockwise Password Manager does a check of all saved passwords using the Have I Been Pwnd service (more on that below). You’ll get a notification of a breach, and in the Lockwise password manager a compromised password will have a red mark next to it. Conveniently, if there are other sites where you’ve used the same password as the compromised site, then they will also be marked with a key icon.
Public checkers If you don’t store your passwords in a browser, there are also a number of sites that can perform a check for you based on your email address. You just enter your email address into the site, and it will provide a list of all known breaches involving that email address. These sites include: haveibeenpwned.com sec.hpi.de/ilc/ monitor.firefox.com
Each works more or less the same: you enter your email address or possibly phone number into the field, and it will return a list of known breaches involving that address or number.
Password Managers
A number of password managers also include password checkers, though the check is very often available only in paid accounts, as is the case with LastPass and DashLane, two of the most popular password managers. We can’t look at every password manager here, but let’s look at those two:
LastPass In LastPass, the password checker is called Dark Web monitoring, and it’s available only for Premium users. To enable it, head to your LastPass Vault using the browser icon, then click on Security Dashboard on the left. Down the bottom of the page, you’ll find Dark Web monitoring; click on Start monitoring to turn it on.
Once on, it will provide warning if any of the email addresses used in your LastPass passwords have been compromised. You will likely need to check back in your Security Dashboard occasionally to see if there have been any breaches.
Dashlane Also called Dark Web Monitoring in Dashlane, it’s available to Premium users only, and is limited to monitoring a maximum of five email addresses. Dashlane does not auto-populate the monitor – instead in the web interface you click on Dark Web Monitoring on the left, then you manually add up to five email addresses (which will require an email confirmation) to be monitored. When a breach is detected, Dashlane will send an email and in-app alert to notify you of a compromise.
Shut them all down!
If there’s a breach and one of your passwords is leaked, then it’s absolutely critical that you perform a quick check on your other passwords, even if they haven’t been breached.
For better or worse (worse, really) most people will use the same password for multiple websites. And you can be absolutely sure that if, say, your Twitter password gets out there, then criminals are going to try the same username/password combination on Google, Microsoft, various banking sites and everything else they can. It can and will quickly turn into a chain of breaches.
Fortunately, most of the password managers above will provide you a password check that will list sites where you use the same password. If any match the breached site, it’s just as imperative that you change the others as the breached site.
Of course, you can save yourself that hassle if you ensure you use a unique password for each site, but, we know, it’s a work in progress.