Coming up with a strong, unique password and storing it in a password manager or browser isn’t good enough. You need to know if and when your password was stolen in a password breach so that you can act quickly enough to change that password before your personal information is potentially compromised. Here’s how.
It has been some time since the massive debt collection breaches in 2019 literally leaked billions of email addresses and passwords to the web, compromising the security of those accounts. The problem that users faced at the time was a limited number of ways to see if they were actually at risk. Now there are many password monitoring services that will reveal if your password has been stolen. Many are designed so that you can quickly take action and change it.
The best password managers
Why your browser̵7;s password manager is not good enough
5 Alarming Facts in Honor of World Password Day
Basic services to uncover email breaches
Two reputable services to verify this information existed at the time of the debt collection infringement and still do: HaveIBeenPwned, and a service operated by the Hass-Platner-Institut in Potsdam, Berlin. Both will ask you to enter your email address (not your password!), And both will then compare your email address against a database of known breaches.
Both services have their appeal. HaveIBeenPwned’s reputation attracts those who want to publish their attacks, so the reporting of breaches on the site seems comprehensive. The site lists the breaches where an email address has been overtaken, along with any resulting information, such as your gender or what your phone number is, for example. The site organizes the breaches by the attacked service, not the date. Why is this important? Because if your email was exposed to a breach in 2016, for example, chances are your password has since been changed. But if your email address and password were disclosed last month, you’ll want to change them right away.
HaveIBeenPwned also publishes the infringement information for each email address, which is useful for checking friends and family, although it is not the most privacy conscious.
HPI’s service takes a different approach. It lists the breaches by date, along with a matrix of what information was exposed. When you enter an email address on the site, a security report will be sent to that particular email, along with a color-coded chart of what data is at risk and what breach.
Browsers add free password monitoring
Both of the above services will only reveal whether a specific email address was part of a breach, but not if a non-email username – for example, ‘billg’ – has been exposed. Here you want a trusted service that knows you, as well as the passwords you have chosen. Don’t look for random sites to ‘check’ your passwords – you’ll want to stick to a few familiar names. (Also keep in mind that password monitoring is a paid service for most password managers, but not for password managers in a web browser.)
Google password check
In 2019, Google added a free browser plug-in for Chrome that warned you once you were logged into a compromised site, if your email address or password was compromised. In October 2019, Google began automatically checking passwords for breaches, and starting in Chrome 79, it began monitoring your online usage to avoid getting ‘phishing’ or being tricked into disclosing your password under false pretenses.
Now if you go to passwords.google.com and authenticate, Google’s online password checker will give you a quick dashboard showing which passwords have been exposed to security breaches, duplicated across sites, and can be improved with more complex passwords to avoid that they could be easily cracked should a breach occur. There are also links to change the passwords on the sites themselves. However, this only works if you have saved passwords with Google itself.
Firefox Lockwise, part of the free Mozilla Firefox browser, works in a slightly different way. It doesn’t provide Google’s recommendations about redundant and weak passwords, but the password guard function works the same way. It also seems to work regardless of whether you’ve saved a password in Firefox or just imported passwords from another browser. However, like Google, it must “know” your password, which requires you to save it in the browser.
The easiest way to get to Lockwise is to type about: logins in the Firefox URL bar.
If a password is displayed, you will see a bright red banner, the account and password in question, and a link to go to that account. (It can also flag accounts you may have already disabled, like it did with a LinkedIn breach it showed me that was linked to a previous work account.)
Microsoft Edge password monitor
Last year, Microsoft promised an upcoming Password Monitor within Microsoft Edge, and it will be rolled out soon as part of Microsoft Edge 88. Like the other similar services offered by other browser makers, it will be free.
Paid Password Guarding: Password Managers
We are already reviewing password managers, which are hands down the most convenient way to manage passwords. Below is a summary of which password managers do what in the field of monitoring.
While LastPass offers a robust, free version of the password storage services that the browsers provide, password monitoring is one that LogMeIn’s LastPass service charges for. LastPass monitors the “dark web” in case a password is leaked, but it also notifies you when it does, something the browser makers don’t yet do. Is that heads up worth the $ 3 LastPass monthly fee for the service? If you appreciate having your personal information locked down immediately, you may be.
Dashlane also considers “dark web” monitoring as a paid service and charges $ 6.49 per month.
1Password doesn’t offer a free tier, but its basic $ 2.49 / month service includes what the company calls “Watchtower,” which warns you of compromised passwords, as well as passwords that need to be updated for being weak. 1Password actually works with the HaveIBeenPwned service to get you passwords (not your email address) against his database of breached passwords. But as an added security measure, 1Password ships alone part of your password (or, specifically, part of the password hash), collects all possible matches and then privately checks them on your computer.
Other password managers often charge small fees for password monitoring, but who knows? It’s possible the competitive influence of Microsoft and Google, plus Mozilla, will pull password monitoring back to a free service in the coming years.