Given the abundance of password leaks over the past few years, it’s normal to be concerned about whether your password has been stolen or not: just think about the Target stores data breach, the LinkedIn leak, or that huge Yahoo breach when users were prompted to change passwords in 2016. Even eBay users were affected in 2014… the list really does go on. Turns out there has been guidance published by the National Institute of Standards and Technology (NIST) for how sites should check potential passwords against previous leaks, but, as you’d expect, it takes time for sites to implement such measures.
What can you do until then? There are ways to check – if you really must know – if your password was stolen, and there are sites serving that checking purpose.
Login Notification Emails
Google, Apple, Twitter, and other services send email notifications of new sign-ins to their related accounts. If you are keeping an eye on your inbox, the email received will display information about the device, platform, time, and approximate location of the login, so users can match that info with their own and take action if they notice suspicious activity.
For example, users will get a login notification email after clearing all browser cookies, as the service will see the device used as a new one since the cookie stored in the browser is now gone. In this case the emails can be ignored, of course, but take immediate action if your records don’t match with the information displayed in the email.
Password Breach Checkers
Just like with password security checkers, there are sites we can call password breach checkers. What they do is pretty simple: type the password into the field, and the site will compare it against a database of leaked passwords collected over the years in order to determine whether it was cracked or not.
Such a utility has been set up by Troy Hunt, the author or HaveIBeenPwned website, which includes a subset of “Pwned Passwords“. These are hundreds of millions of real-world passwords exposed in data breaches, and Hunt made them searchable and downloadable for use in other online systems.
The password checker service was created after June 2017 when NIST released guidance specifically recommending that user-provided passwords are checked against existing data leaks. The database now contains up to 320 million unique passwords.
Anyone can check whether their password was pwned, but we don’t recommend checking passwords you are actively using. We suggest that our readers protect their private data, and although learning whether one of their passwords has been leaked or not is important, it would be reckless to send an actively used password in plain text over the internet. So, what we recommend is that you check an earlier password and use a password manager to generate new, strong passwords to secure your online data.
How Password Managers Can Help
Using a password manager will help users fight password theft and keep their digital lives securely locked, due to their highly useful password security reminders. Such services remind users to change their password frequently and generate long, strong passwords, which require more work from a hacker.
The developers behind password managers also keep an eye on what is happening in the market and will issue a warning to users when a website has been hacked, without sending the developer data about the sites you visit. The developers usually keep an up-to-date database of hacked websites and compare it with the sites saved in the secure vault. This process is done locally. This feature, however, called Watchtower in 1Password and Security Challenge in LastPass, isn’t on by default, so we recommend enabling it for additional security.
All these tools will help you regain confidence in online security, but be prepared. Keep an eye on the information arriving from these channels, and you’ll be able to protect your digital life.
Best Password Managers of 2019