A lot of websites have leaked passwords. Hackers can download databases of usernames and passwords and use them to hack your accounts. This is why you ought not to reuse passwords for important websites as a leak from one site can give hackers all they need to sign into other accounts.
Have I Been Pwned?
Troy Hunt’s Have I Been Pwned website maintains a database of username and password combinations from public leaks taken from publicly available breaches that can be found through various sites on the web, or dark web. This database just makes it easier to check them yourself without visiting sketchier parts of the web.
To use this tool,
- Go to the main Have I Been Pwned? page and search for a username or email address.
The results tell you whether your username or email address has ever appeared in a leaked database. Repeat this process to check multiple email addresses or usernames. You’ll see which leaked password dumps your email address or username appears in, which in turn gives you information about passwords that might have been compromised.
- If you want to get an email notification should your email address or username appear in a future leak, click the “Notify me when I get pwned” link.
You can also search for a password to see whether it has ever appeared in a leak.
To see if a password has ever appeared in a leak;
- Head to the Pwned Password page on the Have I Been Pwned? Website.
- Type a password in the box, and then click the “pwned?” button.
You’ll see whether the password is in one of these databases and how many times it’s been seen. Repeat this as many times as you like to check additional passwords.
Be Warned: Don’t for any reason type your password on third-party websites that ask you for it. These can be used to steal your password if the website isn’t honest. We recommend you only use the Have I Been Pwned? site, which is widely trusted and explains how your password is protected. In fact, popular password manager 1Password now has a button that uses the same API as the website, so they’ll send hashed copies of your passwords to this service, too. If you want to check whether your password has been leaked, use this service.
If an important password you use has been leaked, change it immediately. You should use a password manager so it’s easy to set strong, unique passwords for each important site you use. Two-factor authentication can also help protect your critical accounts, as it will prevent hackers from reaching them without an additional security code—even if they know the password.
LastPass
LastPass has a similar feature integrated into its Security Challenge.
- To access it from a LastPass browser extension, click the LastPass icon on your browser’s toolbar, and then select More Options > Security Challenge.
LastPass finds a list of email addresses in your database and asks if you want to check whether they’ve ever appeared in any leaks. If you agree, LastPass checks them against a database and sends information about any leaks to them via email.
LastPass also offers a view of “Compromised” passwords here. This list shows you which websites have had security breaches since you’ve last changed your password on them, which means your password potentially could have leaked.
1Password
The web-based version of the 1Password password manager can now check whether your passwords have been leaked, too. In fact, 1Password uses the same Have I Been Pwned? service we discussed above. It has an integrated “Check Password” button that automatically submits the password to the service and provides a response. Meaning that, the way it works is same as using the Have I Been Pwned? website.
If you’re a 1Password user, you can take advantage of this service.
- Sign into your account on 1Password.com.
- Click “Open Vault” and then click one of your accounts.
- Press Shift+Control+Option+C on a Mac or Shift+Ctrl+Alt+C on Windows, and you’ll see a “Check Password” button that checks if your password appears in the Have I Been Pwned? database.
It’s a new, experimental feature, so it’s hidden for now, but it should be integrated into future versions of 1Password in a better way.
This feature also will be incorporated into 1Password’s Watchtower feature sometime later. The Watchtower feature warns you from within the 1Password application if any passwords you’ve saved are potentially vulnerable and need a password change.
The most important thing you can do is to not reuse passwords, at least for important websites. Your email, online banking, shopping, social media, business, and other critical accounts should all have their own unique passwords, so a leak by one website doesn’t put any other accounts at risk. Password managers help make strong unique passwords possible, making sure you don’t have to remember a hundred different passwords.