How to tell if your password has been stolen
These monitors can help you find out.
Coming up with a strong, unique password and storing it in a password manager or browser isn’t good enough. You need to know if and when your password was stolen in a password breach, so you can act quickly enough to change that password before your personal information is potentially compromised. Here’s how.
It’s been some time since the massive Collections breaches of 2019 leaked literally billions of email addresses and passwords to the web, putting the security of those accounts at risk. The problem users faced at the time was a limited number of ways to tell if they were actually at risk. Now, there are many password monitoring services that will
reveal if your password has been stolen. Many are designed to let you quickly take action and change them.
BASIC SERVICES TO REVEAL EMAIL BREACHES
Two reputable services to check this information existed at the time of the Collections breach, and still do: HaveIBeenPwned (fave.co/3pbycZg), and a service run by the Hass-Platner-Institut (fave.co/3jCno5a) in Potsdam, Berlin. Both ask you to enter your email address (not your password), and both will then match your email address against a database of known breaches.
Both services have their appeal. HaveIBeenPwned’s reputation attracts those who wish to publicize their attacks, so the site’s breach reporting seems comprehensive. The site will list the breaches that an email address has been caught up in, along with any corollary information – such as your gender or what your phone number is, for example. The site organizes the breaches by the service attacked, not the date. Why is this important? Because if your email was exposed in a breach in 2016, for example, chances are that your password has been changed since then. But if your email and password were exposed last month, you’ll want to change them right away.
HaveIBeenPwned also publishes the breach information for any email address, which is handy for checking up on friends and family, though it isn’t the most privacy-conscious.
HPI’s service takes a different approach. It lists the breaches by date, along with a matrix of what information was exposed. If you enter an email address on the site, it will send a security report to that specific email, along with a
colour-coded chart of what data is at risk, and from what breach.
BROWSERS ARE ADDING FREE PASSWORD MONITORING
Both of the above services only reveal if a specific email address has been part of a breach, however – not if a nonemail username – ‘billg’, say – has been exposed. Here, you’ll want a trusted service that knows you, as well as the passwords that you’ve chosen. Don’t go chasing random sites to ‘check’ your passwords – stick with trusted names. (Also, note that password monitoring is a paid service for most password managers – but not for password managers within a web browser.)
Google Password Checkup
In 2019, Google added a free browser plug-in for Chrome that warned you, once you’d logged into a compromised site, if your email or password had been compromised. In October of 2019 Google began automatically checking passwords against breaches, and as of Chrome 79 began monitoring your online use to avoid getting ‘phished’,
or lured into divulging your password under false pretences.
Now, if you go to passwords. google.com and authenticate yourself, Google’s online Password Checkup will give you a quick dashboard of which passwords have been exposed in security breaches, which have been duplicated across various sites, and which could be improved with more complex passwords to avoid being easily cracked if a breach were to occur. There are also links to change the passwords on the sites themselves. However, this works only if you’ve stored passwords using Google itself.
Firefox Lockwise
Firefox Lockwise, part of the free Mozilla Firefox browser, works in a slightly different manner. It doesn’t offer the recommendations that Google does about redundant and weak passwords, but its password monitoring feature otherwise works similarly. It also seems to work regardless of whether you’ve stored a password within Firefox, or simply imported passwords from another browser. Like Google, though, it needs to ‘know’ your password, which requires you to store it in the browser.
The easiest way to get to Lockwise is by typing about:logins into the Firefox URL bar. If a password has been exposed, you’ll see a bright-red banner, the account and password in question, and a link to jump to the account in question. (It may also flag accounts that you may have already disabled, as it did with a LinkedIn breach it showed for me, which had been tied to a previous work account.)
Microsoft Edge Password Monitor
Last year Microsoft promised an upcoming Password Monitor within Microsoft Edge, and it will soon roll out
as part of Microsoft Edge 88. Like the other similar services offered by other browser makers, it will be free.
PAID PASSWORD MONITORING: PASSWORD MANAGERS
You can see our top picks on page 89.