Coming up with a strong, unique password and storing it in a password manager or browser isn’t good enough. You need to know if and when your password was stolen in a password breach, so you can act quickly enough to change that password before your personal information is potentially compromised. Here’s how.
It’s been some time since the massive Collections breaches of 2019 leaked literally billions of email addresses and passwords to the web, putting the security of those accounts at risk. The problem users faced at the time was a limited number of ways to tell if they were actually at risk. Now, there are many password monitoring services that will reveal if your password has been stolen. Many are designed to let you quickly take action and change them.
Two reputable services to check this information existed at the time of the Collections breach, and still do: HaveIBeenPwned, and a service run by the Hass-Platner-Institut in Potsdam, Berlin. Both ask you to enter your email address (not your password!), and both will then match your email address against a database of known breaches.
Both services have their appeal. HaveIBeenPwned’s reputation attracts those who wish to publicize their attacks, so the site’s breach reporting seems comprehensive. The site will list the breaches that an email address has been caught up in, along with any corollary information—such as your gender or what your phone number is, for example. The site organizes the breaches by the service attacked, not the date. Why is this important? Because if your email was exposed in a breach in 2016, for example, chances are that your password has been changed since then. But if your email and password were exposed last month, you’ll want to change them right away.
HaveIBeenPwned also publishes the breach information for any email address, which is handy for checking up on friends and family, though it isn’t the most privacy-conscious.
HPI’s service takes a different approach. It lists the breaches by date, along with a matrix of what information was exposed. If you enter an email address on the site, it will send a security report to that specific email, along with a color-coded chart of what data is at risk, and from what breach.
Browsers are adding password monitoring for free
Both of the above services only reveal if a specific email address has been part of a breach, however—not if a non-email username—“billg,” say—has been exposed. Here, you’ll want a trusted service that knows you, as well as the passwords that you’ve chosen. Don’t go chasing random sites to “check” your passwords—you’ll want to stick with a few trusted names. (Also, note that password monitoring is a paid service for most password managers—but not for password managers within a web browser.)
Now, if you go to passwords.google.com and authenticate yourself, Google’s online Password Checkup will give you a quick dashboard of which passwords have been exposed in security breaches, which have been duplicated across various sites, and which could be improved with more complex passwords to avoid being easily cracked if a breach were to occur. There are also links to change the passwords on the sites themselves. However, this works only if you’ve stored passwords using Google itself.
Firefox Lockwise, part of the free Mozilla Firefox browser, works in a slightly different manner. It doesn’t offer the recommendations that Google does about redundant and weak passwords, but its password monitoring feature otherwise works similarly. It also seems to work regardless of whether you’ve stored a password within Firefox, or simply imported passwords from another browser. Like Google, though, it needs to “know” your password, which requires you to store it in the browser.
The easiest way to get to Lockwise is by typing about:logins into the Firefox URL bar.
If a password has been exposed, you’ll see a bright-red banner, the account and password in question, and a link to jump to the account in question. (It may also flag accounts that you may have already disabled, as it did with a LinkedIn breach it showed for me, which had been tied to a previous work account.)
We already review password managers, which are hands-down the most convenient way to manage passwords. Below is a summary of which password managers do what in terms of monitoring.
While LastPass offers a robust, free version of the password storage services that the browsers offer, password monitoring is a service that LogMeIn’s LastPass service charges for. LastPass will keep an eye on the “dark web” in case a password leaks out—but it will also send you a notification when it does so, something that the browser makers don’t do yet. Is that heads-up worth the $3 LastPass charges per month for the service? If you value locking down your personal data immediately, it might be.
Dashlane, too, regards “dark web” monitoring as a paid service, and charges $6.49 per month for it.
1Password doesn’t offer a free tier, but its $2.49/month basic service includes what the company calls “Watchtower,” which alerts you to compromised passwords, as well as those that should be updated because they’re weak. 1Password actually works with the HaveIBeenPwned service to check your passwords (not your email) against its database of breached passwords. But as an added security measure, 1Password send only part of your password (or, specifically, part of the password hash), collects all of the potential matches, then checks them privately on your machine.
Other password managers tend to charge small fees for password monitoring, but who knows? It’s possible that the competitive influence of Microsoft and Google, plus Mozilla, may tug password monitoring back into a free service for years to come.