Here’s How
These password monitors can help you find out.
Coming up with a strong, unique password and storing it in a browser or password manager isn’t good enough. You need to know if and when it was stolen in a password breach, so you can act quickly enough to change it before your personal information is potentially compromised. Here’s how.
It’s been some time since the massive Collections breaches of 2019 leaked literally billions of email addresses and passwords to the web ( go.pcworld.com/blem), putting the security of those accounts at risk. The problem users faced at the time was a limited number of ways to tell if they were actually at risk. Now, there are many password
monitoring services that will reveal if your password has been stolen. Most are designed to let you quickly take action and change passwords.
BASIC SERVICES TO REVEAL EMAIL BREACHES
Two reputable services to check this information existed at the time of the Collections breach and still do: Haveibeenpwned ( go.pcworld.com/ hvbn), and a service run by the HassPlatner-institut ( go.pcworld.com/hplt) in Potsdam, Berlin. Both ask you to enter your email address (not your password!), and both will then match your email address against a database of known breaches.
Both services have their appeal. Haveibeenpwned’s reputation attracts those who wish to publicize their attacks, so the site’s breach reporting seems comprehensive. The site will list the breaches that an email address has been caught up in, along with any corollary information—such as your gender or what your phone number is, for example. The site organizes the breaches by the service attacked, not the date. Why is this important? Because if your email was exposed in a breach in 2016, for example, chances are that you’ve changed your password since then. But if your email and password were exposed last month, you’ll want to change them right away.
Haveibeenpwned also publishes the breach information for any email address,
which is handy for checking up on friends and family, though the service isn’t the most privacy-conscious.
HPI’S service takes a different approach. It lists the breaches by date, along with a matrix of what information was exposed. If you enter an email address on the site, it will send a security report to that specific email, along with a color-coded chart of what data is at risk and from what breach.
BROWSERS ARE ADDING PASSWORD MONITORING FOR FREE
Both of the above services only reveal if a specific email address has been part of a breach, however—not if a non-email username—“billg,” say—has been exposed. Here, you’ll want a trusted service that knows you, as well as the passwords you’ve chosen. Don’t go chasing random sites to check your passwords—you’ll want to stick with a few trusted names. (Also, note that password monitoring is a paid service for most password managers—but not for those that exist within a web browser.)
Google Password Checkup
In 2019, Google added a free browser plugin for Chrome ( go.pcworld.com/brpl) that warned you, once you’d logged into a compromised site, if your email or password had been compromised. In October of 2019 Google began automatically checking passwords ( go.pcworld.com/chps) against breaches, and as of Chrome 79 Google began monitoring your online use ( go. pcworld.com/mnon) to protect you from getting “phished,” or lured into divulging your password under false pretenses.
Now, if you go to passwords.google. com and authenticate yourself, Google’s online Password Checkup will give you a quick dashboard of which passwords have been exposed in security breaches, which have been duplicated across various sites, and which you could improve with more complex passwords to keep them from being easily cracked in the event of a breach. There are also links to change the passwords on the sites themselves. However, this works only if you’ve stored passwords using Google itself.
Firefox Lockwise
Firefox Lockwise, part of the free Mozilla Firefox browser, works slightly differently. While it doesn’t offer the recommendations that Google does about redundant and weak passwords, its password monitoring feature otherwise works in a similar fashion. It also seems to work regardless of whether you’ve stored a password within Firefox or simply imported passwords from another browser. Like Google, though, it needs to “know” your password, which requires you to store it in the browser.
The easiest way to get to
Lockwise is by typing about:logins into the Firefox URL bar. If a password has been exposed, you’ll see a bright-red banner, the account and password in question, and a link to jump to the account in question. (It may also flag accounts that you may have already disabled, as it did with a Linkedin breach it showed for me, which had been tied to a previously used work account.)
Microsoft Edge Password Monitor
In January this year Microsoft released the much-anticipated Password Monitor feature within Microsoft Edge 88 ( go.pcworld.com/ uppm). Like the other similar password services offered by other browser makers, it is free.
PAID PASSWORD MONITORING: PASSWORD MANAGERS
We already review password managers ( go. pcworld.com/rvpm), which are hands-down the most convenient way to manage passwords. Below is a summary of which password managers do what in terms of monitoring.
Lastpass
While Lastpass offers a robust, free version of the password storage services that the browsers offer, password monitoring is a service that Logmein’s Lastpass service ( go. pcworld.com/lpsv) charges a monthly fee to access. Lastpass will keep an eye on the “dark web” in case a password leaks out— but it will also send you a notification when it does so, something that the browser makers don’t do yet. Is that heads-up worth the $3 Lastpass charges per month for the service? If you value locking down your personal data immediately, it might be.
Dashlane
Dashlane ( go. pcworld. com/dsrv), too, regards “dark web” monitoring as a service worth paying for, and the company charges $6.49 per month for it.
1Password
1Password ( go.pcworld.com/1psd) doesn’t offer a free tier, but its $2.49 per month basic service includes Watchtower ( go.pcworld. com/wtwr), which alerts you to compromised passwords, as well as those you should update because they’re weak. 1Password actually works with the Haveibeenpwned service to check your passwords (not your email) against its database of breached passwords. As an added security measure, 1Password send only part of your password (specifically, part of the password hash), collects all of the potential matches, and then checks them privately on your machine.
Other password managers tend to charge small fees for password monitoring, but who knows? It’s possible that the competitive influence of Microsoft and Google, plus Mozilla, may tug password monitoring back into a free service for years to come.